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Chapter 1 — Introduction 


The general public usually has two competing viewpoints of hackers. Some 
people revere them as brilliantly minded individuals while others look down on 
them as petty criminals. While both perceptions could be true for many expert 
hackers, the public’s perception has been twisted and contorted by what they see 
on television dramas and in the movies. Because your average user doesn’t 
understand how a computer or the Internet works from a technical perspective, 
they can’t hope to begin to understand what hackers actually do. 


In fact, the term ‘hacker’ usually carries a negative connotation to it. Ask any 
non-technical person what a hacker is, and they’ll give you a response such as, 
“They’re the bad guys that steal people’s credit cards, listen to my phone calls, 
and work with terrorist organizations.” For some reason — likely accredited to 
entertainment media — hackers get a bad rap and most people would instantly 
assume that their behaviors are illegal. These stigmas couldn’t be further from 
the truth, because the reality is that there are many types of hackers. Some of 
them are good, some of them are bad, and some lie somewhere in between. 
There is no single motivation that drives every hacker and no blanket statement 
that you can use to accurately describe every hacker in the world. Also consider 
that hacking isn’t an inherently evil practice and you can do it legally. Some 
people even like to do it for a hobby. More practically, however, some people 
get paid big bucks as consultants to try to hack into a corporate network in an 
effort to find security holes. Be forewarned, though. If you start abusing your 
knowledge it is a slippery slope to the dark side, and nothing good ever happens 
once you’re there. 


If your curiosity has gotten the better of you, if you just want to be able to 
understand what’s going on in the movies and the news, or you have a goal of 
becoming a competent hacker, I want to personally introduce you to hacking and 
guide you to achieving your goals. The problem most people have when they 
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want to start hacking is that they find material that isn’t written for novitiates. 
Once you get the basics under your belt and you can actually apply the 
knowledge you will learn in this book, yov’ll find that you are much more 
educated than your peers and that technology is actually pretty exciting. As the 
tools hackers use have changed over the last couple decades, people that take an 
interest and develop a passion for hacking have changed as well. Though 
technology is only getting more complex with each passing year, the tools 
hackers utilize are becoming more sophisticated — making the learning curve 
much less steep for newbies. 


In this guide, I am going to teach you a lot of valuable information about 
hacking such as: 


-What hacking is and what hacking isn’t. 

-Hacking terminology and hacker culture. 

-Types of attacks and the most famous hacks of all time. 

-Ethical considerations and fair warnings about becoming a hacker. 
-Fundamental concepts that will serve as a foundation to build hacking skills. 
-How to install Linux operating systems using VMWare to setup hacking tools. 
-Step-by-step guides for ping sweeps and port scanning. 

-How to map network topologies and perform reconnaissance techniques. 


-How to use advanced software to find security holes. 


This is designed to be an all-inclusive guide that will not only give you an 
understanding of the basic technical concepts you will need to become a hacker, 
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but also introduce you to some fascinating software and show you step-by-step 
how to use it. I’m sure most of you want to get started hacking right away, but I 
urge you to spend time learning the basics before moving on to some of the more 
challenging attacks discussed in this book. 
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What it Takes to Become a Good Hacker 


One of the reasons some hackers become so successful is because they have a 
passion for what they are doing. Their personality drives them to tackle 
extremely difficult challenges, which is why some hackers break systems just to 
see if they can. If you are going to want to become a prolific hacker, it takes the 
same two things as any other skill you want to build: time and practice. If you 
can’t figure something out in the first two minutes, don’t give up. Some of the 
pros will spend weeks or even months planning and executing their attacks. And 
once you get the basics under your belt, you’re going to be able to implement 
these techniques in a matter of minutes. Arguably, I would say the hardest part 
for a newbie is getting their environment setup. Past that, things start to get 
easier and you can really start to sink your teeth into how the technology works. 
Before we get to the juicy details, we should begin with an overview of hacking 
so you understand some rudimentary concepts and perceptions about hacking. 
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Chapter 2 - An Overview of Hacking 


To your average computer user who doesn’t understand much about Internet and 
network security, hackers are shrouded in a cloud of mystery. Most people don’t 
understand what they do or how they do it. And the movies don’t help to 
demystify them, either. Countless action movies portray a character that takes 
the role of a hacker that can break into top secret computer systems to save the 
world. When the camera pans over their computer screens, you see them typing 
strange letters and numbers into a command prompt that, for all you know, is a 
foreign language. Humorously enough, the hackers in the movies frequently use 
a tool called NMAP, which I will show you how to use later in this book. If 
you’ve seen The Matrix Reloaded, Dredd, Fantastic Four, Bourne Ultimatum, 
Die Hard 4, or The Girl With The Dragon Tattoo (among countless others), you 
have already seen actors using NMAP to facilitate their hacking endeavors in the 
movies. 


But what exactly is hacking? Hacking means a lot of different things to a lot of 
different people. It is an umbrella term used to describe hundreds, if not 
thousands, of various techniques that can be utilized to use computers and 
information systems in unintended ways. At its core, hacking means using a 
computer to gain unauthorized access to another computer system or data that is 
protected or restricted. This is the most conventional meaning of the word 
hacking. Once a hacker has gained access to an unauthorized system, he or she 
then has the ability to steal information, change configurations, alter 
information, delete information, and install further malicious code to capture 
even greater control over the target system. The list goes on and the sky is the 
limit regarding what an experienced hacker can do once they find a way into a 
computer system. 


However, there is a lot more to hacking than clicking a button to attack a 
computer. You will need to use tools and scanners to map the local network 
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topology and use reconnaissance techniques to gather information and look for 
vulnerabilities. The good news for newbies is that these tools are highly 
automated today. In the past, hacking software hadn’t been created that 
aggregated vast amounts of code and tools into simple and easy to use 
commands. As such, hackers in the past needed highly intimate understandings 
of the technologies they were trying to break and it was difficult to do so. 
Having an extremely deep understanding of technology today will certainly help 
you become a better hacker, but my point is that these tools are becoming 
increasingly easy to use. In fact, there are young kids and teenagers that are too 
curious for their own good and take advantage of highly sophisticated tools to 
break into systems they have no business accessing. Understand that these tools 
simplify the hacking process considerably. If a teenager can hack into a system 
using simple tools, guess what? You can too! 


But what does it take to excel as a hacker? Well, most hackers have several 
things in common. First of all, they are experienced software developers and can 
craft malicious programs and viruses that further their cause. Furthermore, most 
hackers are competent Linux users. Linux operating systems are extremely 
secure and provide virtually limitless access to the latest penetration and security 
tools — for free! In addition, some Linux operating systems such as Kali Linux 
were designed for the sole purpose of hacking and network penetration. Linux 
can be scary for newbies, but I will show you how to run Linux and use some 
special tools later in this book in a simplified and easy to understand manner. 
Lastly, hackers almost always have a working knowledge of networking topics 
such as IP addresses, ports, and the dirty details of how different networking 
protocols operate. Some tools even exploit vulnerabilities in these network 
protocols, and the knowledge of these exploits combined with the ability to craft 
computer programs is what makes some hackers truly formidable. 


Some of these techniques are outside the scope of this book since this guide was 
created for beginners, but if you really want to excel as a hacker you would do 
well to study and practice these concepts. Though we won’t touch on software 
development in this guide, I will certainly show you step-by-step how to install 
and use some various hacking tools that the pros take advantage of and teach you 
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the basics of networking addresses and protocols. 
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Chapter 3 — Attack Types and Famous Viruses 


Most of you have probably heard of viruses, worms, malware, key loggers, 
rootkits, and Trojans before, but what the heck are these things and how to 
hackers utilize them to steal people’s data and disrupt their computer systems? 
Each of these tools are a little bit different from each other, but they all have one 
similar goal: to enter a target’s system to provide the attacker with information 
he or she doesn’t already have access to. No, I’m not going to show you how to 
craft nefarious computer software, but you should have a well-rounded 
understanding of these topics if you have any hope of calling yourself a hacker. 


First and foremost, you need to understand the concept of computer viruses 
because they are one of the most popular terms thrown around in discussions 
about cyber security and hacking. A computer virus is a piece of malicious code 
or software program that is able to infect a target system and then make copies 
of itself on other local computers. They are aptly named because they reproduce 
much like a virus in real life, and they facilitate their operations by attaching 
themselves to computer programs. Typically they either render a computing 
system completely useless or they seek to destroy data. Again, you’!l hear about 
computer viruses in the movies a lot, so we’ll take a look at some of the most 
famous computer viruses of all time after defining the other terminology. 


A worm is very similar to a virus, and it’s true that the line between a virus and 
worm gets muddied and blurred. The largest difference is that worms are not 
attached to a computer program. They exist independently on the host system, 
and they often take advantage of network resources to spread to other hosts on 
the network they have compromised. Sometimes worms are also classified as 
malware, because there are only minute differences in the terminology. 
Colloquially, these terms are interchangeable but their meanings vary slightly in 
academic settings. 
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Perhaps you have already experienced the negative consequences of malware. 
One of the most popular ways that malware is distributed is through the medium 
of online downloads, whereby a downloadable file has been corrupted with 
malware that the user then downloads and installs. You’ll see this frequently 
with most files hosted with P2P (Peer-to-Peer) file sharing programs such as Bit 
Torrent. Malware gets its name by combing two other terms: MALicious 

softW ARE. It can also be used as an umbrella term used to describe many 
different types of attacks, and it could mean any software that is used by an 
attacker to create access to a target’s data, block them from their data, or change 
information on their computer. 


Furthermore, a key logger is yet another type of malicious program, and as you 
might have guessed its sole purpose is to log the keystrokes of the user who has 
been infected. This is absolutely disastrous for the target user, because an 
attacker will be able to record and view every single key that the target types on 
their host system. This includes usernames and passwords, Google searches, 
private instant messaging conversations, and even payment card data. If an 
attacker has successfully installed a key logger, the target is at the mercy of the 
attacker. There’s no telling what the attacker could do next — they could hack 
into the target system by using the information they gathered such as usernames 
and passwords, steal money using their payment card data, or use their host 
system to carry out attacks on other hosts on the same network. 


Next, you should also be familiar with the idea of a rootkit. Rootkits are 
extremely dangerous because they serve to edit background processes in an 
effort to hide the malicious activities of an attacker. This will help viruses, key 
loggers, and other malicious code exist for extended periods of time without 
detection on the target system. They can even serve to hide software that would 
have been otherwise detected and quarantined by security software. 
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Last but not least is the infamous Trojan horse, sometimes called a Trojan virus 
or a backdoor virus. They are extremely problematic because they can be slipped 
into innocent-looking applications and they are very hard to detect without the 
right security software. There could even be a Trojan horse lurking in the depths 
of your personal computer right now, and they are frequently used to gain 
complete control of a target system. 


Now that you have a basic understanding of the different types of malicious code 
hackers employ to do their bidding, you should know about some of the largest 
and most famous computer viruses of all time. Some of them are actually other 
types of malicious code such as Trojan horses, but people still refer to them as 
viruses. Any expert hacker will have heard of these famous attacks before, so 
you should know them as well. 


Also, if you get the inkling to try your hand at using one of these methods on 
your own by hunting around on the Internet for freely distributable code that will 
allow you to attack a target system, just know that you’re setting yourself up for 
a disaster. Humorously enough, some hacking newbies try to find rootkits and 
key loggers to attack hosts. But here’s the catch — some hackers actually 
facilitate their attack by taking advantage of people who want access to these 
types of programs. 


And the end result isn’t pretty. In the end, the newbie hacker might actually 
install an expert hacker’s virus and unknowingly infect their own operating 
system! And don’t forget that there are ethical and legal implications as well. 
Many, if not all, of the people responsible for these famous attacks were severely 
punished. So don’t try to research and implement these types of viruses at home! 
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1. Code Red 


I know what you may be thinking, and no, this has nothing to do the movies. 
When people think of hacking in the movies, they think of top secret military 
bases getting hacked by a teenager and raising their alert level to ‘code red.’ 
Believe it or not, it is rumored that the two engineers who discovered and named 
this attack were merely drinking the disgusting cherry-flavored soda when they 
first identified the worm back in 2001. This worm was pretty darn nasty, and its 
targets were servers that were running the Microsoft IIS software for web 
servers. 


This attack relied heavily on an exploit found in the code that left servers 
vulnerable to a buffer overflow issue in an older version of code. However, it 
was a huge problem and very difficult to detect because it had the ability to run 
solely in memory (RAM, or short term storage as opposed to long term storage 
such as a hard disk drive). And things got out of hand pretty quickly, too. After it 
had compromised a system, it would then try to make hundreds of copies to 
infect other web servers. Not only that, but it gobbled up a ton of local server 
resources that all but crippled some of the target systems. 
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2. Sasser 


Sasser is another worm designed to target Windows (noticing a pattern here?). It 
first found its way into the spotlight back in 2004 and was created by a 
legendary and infamous hacker named Sven Jaschan who was also responsible 
for another famous worm named Netsky. One reason this worm made Internet 
security headlines was that it had affected more than a million targets! Yet again, 
this worm took advantage of a buffer overflow vulnerability that caused target 
systems to crash. 


It also made it nearly impossible to reboot your computer without removing the 
power cable and it caused many computers to crash completely. To be fair, most 
people saw this worm as a nuisance as opposed to a serious threat. But it cannot 
be denied that it caused massive and widespread disruption. It even infected 
critical infrastructure devices that caused networks to perform very poorly. Like 
other types of worms, it used its target computers to propagate and multiply 
itself to other computers. 


But one of the biggest problems with this worm is that users didn’t upgrade their 
operating systems after a patch had been created. Both public and private sector 
organizations were affected like news stations, transportation systems, healthcare 
organizations, and even some airline companies. But what was the end result? 
The damages were collectively chalked up to be approximately $18 billion 
dollars! What happened to the infamous Jaschan, you ask? Fortunately for him, 
he was still young so he received a slap on the wrist considering how much 
damage he did. He ended up with a suspended sentence lasting 21 months. 
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3. Zeus 


The Zeus virus was really a Trojan horse created to infect (can you guess which 
operating system?) Windows machines in an effort to force them to carry out 
varying procedures that were deemed to be criminal activity. Most typically, it 
would be used to carry out key logging activities and man-in-the-middle attacks 
that would allow an attacker to first sift through web browsing information 
before sending it to the intended web server. It most frequently infected hosts by 
utilizing innocent-looking applications as a transport medium into the intended 
targets, but the attack also employed phishing techniques. 


After it had been discovered in 2009, it had ruined thousands of individual file 
download and FTP accounts from the largest banks and corporations. Those 
involved include Amazon, Bank of America, Oracle, and even Cisco. The attack 
also allowed the hackers to steal usernames and passwords to social media sites, 
email accounts, and banking information. 
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4. The I Love You Attack 


The ‘I Love You’ attack is so impressive and revered in hacker communities 
because it created a whopping $10 billion dollars in estimated damages. What’s 
more impressive is that researchers believe that 10% of every computer 
connected to the Internet at the time was infected with this virus. Infecting 10% 
of the Internet with a computer virus is staggering to say the least. Things started 
becoming so terrible that some of the larger organizations as well as 
governmental agencies around the world started shutting down their mailing 
systems in an effort to avoid becoming infected. 
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5. Melissa 


This naughty virus was supposedly named after an exotic dancer the creator, 
David L. Smith, had once known. Supposedly, the very root of the virus was an 
infected text document that was uploaded to the alt.sex Usenet group with the 
appearance of being a collection of usernames and passwords for subscription 
and membership-only pornographic websites. But once a user downloaded this 
Word document, all hell would break loose and the virus would activate. 


To start, the virus would look at the first 50 addresses in the infected host’s 
email address book and start sending those addresses emails. In turn, this would 
severely disrupt email services of large enterprises and governmental bodies. 
Furthermore, the virus would even corrupt documents by adding references to 
the television show The Simpsons. However, the original Word document was 
eventually traced back to Smith and he was arrested within a week of the virus’s 
propagation. Although Smith only ended up serving 20 months of prison time 
and a $5,000 fine (he originally had a 10 year sentence) because he turned snitch 
on other hackers and helped the FBI make more arrests. To top it all off, it was 
estimated that the damages from his virus totaled approximately $80 million 
dollars. 
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6. The Conficker Worm 


The Conficker worm first appeared in 2008 and it comes from an unknown 
origin. This worm was especially troublesome because it created a botnet (a 
group of infected computers networked together) of more than 9 million 
different hosts that harmed governmental agencies, large enterprises, and simple 
individual users alike. This worm makes the top 10 list because it caused 
damages estimated at a staggering 9 billion dollars. It was able to infect 
Windows machines due to an unpatched vulnerability dealing with background 
network services. 


After a host had been infected with the worm, the worm would wreak havoc by 
preventing access to Windows updates and antivirus updates, and it could even 
lock user accounts to prevent people from logging in and cleaning up the worm. 
If that weren’t bad enough, the worm would then continue its attack by installing 
malicious code that would make the target computer part of the botnet and scam 
users into sending the attacker money by holding their computer ransom. 
Microsoft and third party antivirus software providers eventually released 
updates to combat and patch this worm, but it did massive amounts of damage 
before a solution could be reached. 
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7. MyDoom 


MyDoom was first seen back in 2004, and it was one of the fastest email worms 
to infect masses of computers since the I Love You attack. The creator of this 
attack is still unknown, but it is rumored that the creator was paid big money to 
carry out this attack due to the message included in the virus that read, “Andy, 
I’m just doing my job. Nothing personal, sorry.” 


This worm was incredibly sly because it took on the appearance of an email 
error. After a user had clicked on the “error” to view the problem the worm 
would send copies of itself to people found in the email address book of the 
infected system. Furthermore, it would copy itself into peer-to-peer directories 
on the infected hosts to spread throughout the network. It is also believed that 
the worm is still lurking on the Internet to this day, and it caused approximately 
$38 billion dollars’ worth of damages. 
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8. Stuxnet 


This attack has a somewhat political background as it is thought to have been 
created by the Israeli Defense Force in conjunction with the American 
government. While some of the past viruses were created out of malice, 
contempt, or the curiosity to see just how much damage a prolific hacker could 
create, this virus was created for the purpose of cyberwarfare. The goal was to 
stymy the initiatives of the Iranians to create nuclear weapons, and almost two 
thirds of hosts infected by this virus were located in Iran. 


In fact, it is estimated that the virus was successful in damaging 20% of the 
nuclear centrifuges in Iran. More specifically, this virus targeted PLC 
(Programming Logic Controllers) components which are central to automating 
large machinery and industrial strength equipment. It actually targeted devices 
manufactured by Siemens, but if it infected a host that didn’t have access to 
Siemens products it would lurk on the host system in a dormant state. 
Essentially, it would infect the PLC controllers and cause the machinery to 
operate far too fast — which would ultimately break the machinery. 
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9. Crypto Locker 


This virus is another example of a Trojan horse that infected Windows 
machines, and the goal was to ransom target computers in exchange for money. 
This Trojan was very cunning because it had several different ways to spread to 
other computers. However, it was incredibly troublesome because after it had 
infected a host, it would then proceed to encrypt the hard drive with an RSA key 
that the owner of the computer never had access to. If you wanted your files to 
be unencrypted, you would have to pay money with prepaid methods or bitcoins 
to the initiators of the attack. 


Many people were successful in removing the Trojan from their computers, but 
they still had one gargantuan problem: the files on their hard drive were still 
inaccessible because they could not be decrypted without the key. Fortunately 
the leader of the attack, Evgeniy Bogachev, was caught and the keys used to 
encrypt the targets’ hard drives were released to the public. Apparently, the 
attack was successful in garnering $3 million from the ransoms, and it infected 
about half a million targets. 
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10. Flashback 


I always love it when Apple evangelists claim to PC users that their computers 
are superior to Windows machines because their code is infallible and there is no 
way to get a virus on a Mac. While it’s true that Windows machines are more 
susceptible to viruses, Macs aren’t perfect either. Such was the case with the 
Flashback Trojan that was first observed in 2011. This Trojan used infected 
websites to inject faulty JavaScript code into the host browser, and it made 
infected Mac hosts part of a botnet. Believe it or not, this Trojan had infected 
over 600,000 Mac computers and a few of those were even contained at Apple 
HQ. Also, though numerous warnings and solutions have been created for this 
Trojan, many believe it is still lurking in the depths of the Internet and that 
thousands of Macs are still affected. 
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In Summary 


Viruses, malware, and Trojan horses are just one facet of hacking, though. The 
truth is that these viruses were created by experts who had a deeper knowledge 
of computing systems than many of the security experts. All of the people who 
carried out these attacks were expert software developers and coders. If you 
think you want to become as infamous as these types of hackers, you’re going to 
need to become an expert software developer. There’s no way around it. 
However, I would hope that this section only opened your eyes to the potential 
some of these attacks have to cause widespread devastation and costly damages. 


Again, please understand that the purpose of this guide isn’t to teach you how to 
create a program that will harm other people’s computers, rack up massive 
multimillion dollar damages, and leave you with heavy consequences such as 
prison time and ungodly fines. However, as a white hat hacker, you need to be 
aware that these types of attacks exist so you have a basic hacking vocabulary 
and some foundation knowledge. 


I will, however, show you how to crack various passwords, map network 
topologies, exploit vulnerabilities, and scan targets for security flaws. In these 
types of examples, we will be focused on hacking into a single target host or 
network instead of trying to release a plague upon the global Internet. All of that 
in good time, however, because first you need to understand the different types 
of hackers that lurk on the Internet, ethical considerations regarding your use of 
the knowledge in this book, and the consequences of your actions should you 
misuse this information and get caught red-handed. 
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Chapter 4 — Ethical Considerations and Warnings 


A book about hacking would be irresponsibly incomplete without a chapter 
giving you a fair warning on the consequences of misusing these techniques as 
well as the ethical considerations of hacking. To begin this discussion, you need 
to be familiar with two different terminologies that describe different types of 
hackers: black hat and white hat. I like the imagery these terms bring to mind 
because they always seem to remind me of Spy vs Spy. 


Black hat hackers are what most people typically think of when they hear the 
word “hacker.” A black hat hacker is the type of nefarious Internet user who 
exploits weaknesses in computing systems for personal gain or in order to 
disrupt an organization’s information systems to cause them harm. He’s the guy 
wearing a high collared shirt, sunglasses, and a fedora behind an array of 20 or 
so computer monitors or the nerd in the movies who can break into a top secret 
system illegally. 


There really isn’t any good that can come out of adopting a black hat approach 
to hacking, either. When you hear in the media that a financial institution just 
lost thousands of usernames and passwords or that a social media database was 
compromised that caused vast amounts of people to lose sensitive personal 
information, the attack was carried out by a black hat hacker. Recently, there 
was even a module of code contained in a WordPress plugin that was susceptible 
to an XSS vulnerability (a type of security flaw in websites with caching 
plugins) that was being exploited worldwide by the extremist group ISIS. If you 
are reading this book because you have dreams of causing mass disruption and 
chaos, I would highly advise you to reconsider. However, understand that 
security and penetration tools aren’t inherently good or evil. One could argue 
that they are much like firearms in the sense that the weapon is an inanimate 
object and it is only as good or evil as the person wielding it. 
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White hat hackers, on the other hand, are the complete opposite. They’re the 
good guys who do everything in their power to find potential security flaws and 
correct the errors so the black hat hackers can’t break a system. As you read this 
book, you need to consider all of the tools and techniques I show you from the 
perspective of a white hat hacker and use them responsibly. If you pursue white 
hat hacking professionally, you can add tremendous value to the organization 
you work for and make big money doing so. Some white hat hackers that have 
the CEH (Certified Ethical Hacker) certification make salaries well into the six 
figure range. Internet security is only becoming more important with each 
passing year, and a talented white hat hacker can use penetration testing tools 
and footprinting methods to identify disastrous security flaws on the 
organization’s network and information infrastructure and patch them before 
they become a problem that would cost the organization obscene amounts of 
money. 


Furthermore, you need to be aware of the consequences of misusing the 
knowledge you learn in this book. Though you likely won’t get caught snooping 
around a network attached to an unsecured SOHO (Small Office/Home Office) 
wireless network in your neighborhood or at your favorite local coffee shop, you 
need to respect other people’s rights to privacy. Think about it — how would you 
feel if you were sitting down for a cup of coffee while reading a book only to 
find out later that someone had attacked your Kindle over the coffee shop’s 
network and stole your data? You would feel enraged, irritated, and violated. So 
remember the golden rule as you grow into a white hat hacker. 


Also consider that using penetration tools on networks where you don’t have any 
authority to do so could lead to some extremely negative consequences. Let’s 
face it, you don’t have the right to steal other people’s personal information — 
it’s illegal. Not only could you provoke civil lawsuits, but you could even face 
jail or prison time depending on the nature of your offense. If you choose to do it 
on your employer’s network and you get caught, the best case scenario is that 
you would have some extremely uncomfortable questions to answer and the 
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worst case scenario is that you would become fired. It’s just not worth it, so keep 
that in mind moving forward. 


Instead of testing out these techniques on public or corporate networks, my 
advice would be to try these in your very own home. Even a small home network 
will provide a digital playground for you to test out your new security skills. All 
you would need to run through some of these demos would be a personal 
computer, a wireless router, and preferably a few other devices that you can 
attach to your network. In the footprinting section I will show you how to run 
ping sweeps and other utilities to perform reconnaissance and information 
gathering methods, so having several other devices will give you more “toys” to 
play with on your local area network (LAN). 


By now I hope you understand that the word “hacker” is rather ambiguous. 
Years ago, it rightfully meant a black hat hacker. Today however, it could refer 
to any number of different types of people who are extremely knowledgeable 
about technology, and the term “hacker” doesn’t necessarily mean someone who 
is trying to steal intellectual property or break into a restricted network. Calling 
someone a hacker is the layman’s approach to describing a digital thief, but 
security professionals will often draw the line between the white hats and the 
black hats. 


With all of the dire warnings out of the way, we can now proceed to the juicer 
and more pragmatic sections of the book you have all been waiting for and we 
can begin to learn how you personally can get your feet wet with hacking. To 
begin, understand that this book is written with the assumption that you have 
little to no understanding of rudimentary networking and security concepts. 
Because this book is written for beginners as opposed to seasoned Internet 
security professionals and expert hackers, you need to first have a basic 
understanding of network terminology, addressing concepts, and other 
fundamentals that you will be able to use as a foundation to build your hacking 
skills upon. So, let’s get started networking fundamentals! 
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Chapter 5 — Networking Fundamentals 
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Understanding the OSI Model and Networking Terminology 


The OSI Model (Open Systems Interconnection) is one of the best places to 
begin if you are lacking a working knowledge of networking concepts. Just 
about every one of the demos we will run through together is heavily based on 
the OSI model and network security professionals often throw around 
terminology and jargon related to different components of this model. Also, it 
will benefit you personally if you understand what level of the OSI model 
various attacks target and this knowledge is fundamental to understanding IP 
addresses and ports, which we will cover later in this chapter. 


To begin, understand that the OSI model consists of seven different layers as 
follows: 


7. Application — A computer application that creates data such as an email or 
instant messaging program 


6. Presentation — The method of encoding data, such as ASCII text 
5. Session — TCP ports (FTP, POP, HTTP, HTTPS, etc.) 

4. Transport — TCP or UDP connections (among others) 

3. Network — IP addresses and packets 

2. Data-Link — MAC addresses and frames 


1. Physical — ones and zeros (bits) transmitted across a cable 


(*Note: If you don’t understand some of the terminology described above, take a 
deep breath and relax. We’ll get to that later.*) 
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I realize that this list may look odd because it starts with the number 7, but the 
first layer of the model is always represented on the bottom since each additional 
layer is dependent on its subordinate layer to encapsulate and transmit data. You 
can remember the first letter of each layer with the pneumonic ‘Please Do Not 
Throw Sausage Pizza Away’. We won’t go into great detail about the finer 
points of this model as we will really mainly be concerned with layers 2, 3, 4, 
and 5 from a hacking perspective, but you need a high level understanding of the 
OSI model regardless. 


Each layer has its own specific function to facilitate data transmissions between 
two remote systems. As data (like the text in an instant messaging application) is 
generated on one device, it starts at the top of the OSI model in the application 
layer and gets pushed down through each subordinate layer until it becomes 0’s 
and 1’s on a cable at the physical layer. Each layer encapsulates data for 
transmission before sending it on to the next layer for further encapsulation. The 
process works much like Russian nesting dolls. Once the data has reached the 
physical layer, it gets transmitted as binary bits over a cable medium. Then, the 
receiving host unpacks the encapsulated data from each layer using the reverse 
process. 


This model is fundamental to understanding data transmission, but how will this 
help you build a skillset for hacking? First of all, it is essential to understand this 
model if you hope to learn about different network protocols and TCP/IP ports. 
Also, terminology is often thrown around regarding a device’s or protocol’s 
function and what layer of the OSI model it belongs to. For example, MAC 
addresses are a layer 2 address while IP addresses are a layer 3 address. And 
ports — which I am sure you have heard of before — belong to layer 5. We will 
dig into all of these concepts shortly, but first you need to know about IP 
addresses so you can identify various hosts when you are hacking! 
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IP Addressing Essentials 


Of the fundamental concepts we are discussing in this book, IP addressing is by 
far the most important. But what is an IP address? Well, and IP address is a 
number that serves as a unique identifier that helps computers differentiate 
between hosts connected to their network. The most common analogy to 
describe this concept is that of the post system. If you wanted to mail a letter to 
someone (send them data), you would first need to know their home’s address 
(IP address) before your message could be delivered. 


Whether you know it or not, you have undoubtedly seen IP addresses already. 
They consist of four numbers ranging from 0-255 that are separated by periods 
as in the following example: - 192.168.1.1 


Also understand that an IP address is 32 bits long. We won’t dig into binary 
math because it won’t do much for our network penetration examples later in 
this book, but know that each number separated by a period in the address is 
called an octet. It is called this because each of the four numbers are 8 bits (1 
byte) in length. However, this IP address lacks something called a subnet mask, 
so we don’t know what network it belongs to. 
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Subnet Masks 


Each IP address is composed of two portions: the network portion of the address 
and the host portion. A subnet mask determines how much of the IP address 
defines a network and how much of the address identifies a host on that network 
subnet. For the remainder of this book, just note I will use the terms LAN (Local 
Area Network) and subnet interchangeably. Consider the following four 
examples of subnet masks: 


1. 255.0.0.0 (/8) — 8 bits (the first octet) define the network portion of the 
address. 


2. 255. 255.0.0 (/16) — 16 bits (the first two octets) define the network portion of 
the address. 


3. 255. 255. 255.0 (/24) — 24 bits (the first three octets) define the network 
portion of the address. 


4. 255. 255. 255. 255 (/32) — This subnet mask indicates a host address. It does 
not indicate a network subnet. 


Note that subnet masks can be written using two different notations. Consider 
the first example. 255.0.0.0 is just another way of writing “/8” because they both 
indicate that the first octet in the IP address (the first byte or the first 8 bits) 
describes the network portion of the address. 


Did you notice how these four subnet masks are in multiples of 8? That was 
intentional because it makes our example much easier. The truth is that there are 
many more complex subnet masks such as /17, 21, or 30 that lie outside the 
scope of this book because they require binary math. However, on private home 
networks such as the environment where you will be testing our demos, a 24 
subnet mask is by far the most common. I’d even bet big money that your home 
network device uses a 24 subnet mask. That is, unless you changed it — in which 
case you would already know about IP subnets! 
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So, now it’s time to put two and two together. We are going to consider an IP 
address and a subnet mask together, determine the host and network portion of 
the address, and then determine the complete range of usable IP addresses for 
that subnet. Consider the following: 


- IP Address: 192.168.1.1 
- Subnet Mask: 255.255.255.0 


All right, so let’s chop up the IP address and define the network portion of the 
address. Can you work it out? When the subnet mask is applied to the IP 
address, we see that the first 3 octets determine the network subnet. So, 
192.168.1.0 24 is the network on which the host with the IP address 192.168.1.1 
resides. That means that the last octet determines the host portion of the address. 
On the 192.168.1.0 24 network subnet, this host has the address of “1.” 
Furthermore, we can conclude that because each octet can range from 0 — 255 
that other hosts on the 192.168.1.0/24 subnet can use addresses from 2-254 (you 
never use the 0 or 255" address). Usable addresses on this subnet include 
192.168.1.2 — 192.168.1.254. Understand that if the 192.168.1.1 host was 
sending data to the host using the 192.168.1.2 address, they are communicating 
over their LAN since they belong to the same network. 
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Two Special Network Addresses 


So why don’t we use the 0 or the 255" addresses on a subnet as host addresses? 
Because these two addresses are special. The first one is called the network 
address. This address can’t be assigned to a host because it defines an entire 
network. In our example above, this address was 192.168.1.0. Also, note that the 
last address on a network subnet is the broadcast address. This address is used 
to send information to every host residing on that network at the same time, so 
this address can’t be used for a single host address either. In our previous 
example, the broadcast address is 192.168.1.255. 
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MAC Addresses 


MAC (Media Access Control) addresses are layer 2 addresses, and they are 
globally unique. Each MAC address is contained on the network card of your 
computer, and it is composed of twelve hexadecimal digits (0-9, A, B, C, D, E, 
F) which total 48 bits in length. The following is an example of a MAC address: 


- B8EE:6525:7EA6 


The first half of the address — the first 6 digits — indicate the OUI 
(Organizationally Unique Identifier). This is just a fancy way of saying that it 
marks who manufactured the network card hardware in your computer. The last 
6 digits are a unique identifier for that manufacturer’s network cards. 


Because MAC addresses are layer 2 addresses, they cannot be routed on the 
Internet. They belong in the data-link layer of the OSI model, and they can only 
help devices speak to one another on the same LAN via a layer 2 network 
switch. In order for layer 2 addresses and layer 3 addresses to operate together, 
we need a mechanism that binds them together. 
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ARP (Address Resolution Protocol) 


ARP is a network protocol that binds layer 2 addresses to layer 3 addresses. Both 
networking devices and computers alike keep tables that record ARP 
information on the LAN so they can keep track of which MAC addresses are 
paired with which IP addresses. This information is constantly changing every 
time you take your laptop or mobile device to a new wireless network, and this 
information is critical to facilitating types of attacks such as a man in the middle 
attack. 


Basically, when a host wants to send data to another computer, it has some 
decisions to make regarding how it will send the data. Here’s how it works. The 
host first takes a look at its own IP address and determines if the destination host 
resides on the same subnet. If not, the host sends that information to its default 
gateway to be routed to the appropriate network. The host will look at its ARP 
table, find the matching entry for the default gateway, and address its data to the 
default gateway’s MAC address. However, if the destination host is on the same 
subnet, all it needs to do is find the matching MAC address for the destination IP 
and send it directly to the intended party. 


If you use a Windows computer, you can use the arp —a command from the 
command prompt to view the contents of your ARP cache. ARP is an integral 
part of modern networks, and there are many advanced exploits that revolve 
around manipulating this protocol, so you need to have a basic understanding of 
it. 
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Ports and Firewalls 


Ports, which are also sometimes called sockets, were one of the hardest 
fundamental concepts for me to wrap my head around when I first started 
learning networking engineering and computer hacking years ago. Basically, 
they are numeric values that are part of the TCP/IP protocol suite that are used to 
tag different types of traffic. By tagging traffic, devices like firewalls can take 
different actions when different data streams flow through a network. 


There are literally thousands of different ports that are each used for different 
types of traffic and applications, but only a few of these are well-known 
protocols. Some software developers reserve certain ports for their custom 
application traffic, but you only need to be concerned with the well-known ports 
to get your feet wet with hacking. It is crucial that you have a basic 
understanding of ports because later we will go through the process of port 
scanning on your local network to ascertain which of these ports are open and 
which are closed. 


The following are some of the most common ports and their respective protocols 
and traffic types: 


-Port 80: HTTP (Hyper Text Transfer Protocol — used for web browsing and web 
pages) 


-Port 20/21: FTP (File Transfer Protocol — used to download files remotely) 
-Port 443: HTTPS (Hyper Text Transfer Protocol Secure — encrypted HTTP) 
-Port 22: SSH (Secure SHell — used to remotely run command line procedures) 


-Port 53: DNS (Domain Name System — used to bind IP addresses to URLs) 
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-Port 547: DHCP Server (Dynamic Host Configuration Protocol — automatic IP 
address assignment) 


As you can see, each network protocol is assigned its own unique port number. 
These ports provide a way to handle various types of traffic differently. For 
example, if I didn’t want anyone to download files from a personal file server I 
was hosting on my network, I would block connection attempts on port 20 and 
21 (FTP). This is an extremely basic example, but understand that if you see a 
host with an open port, that host will accept connections using that specific type 
of traffic. As another example, consider a web server that hosts a website. It will 
have either port 80 (HTTP) or port 443 (HTTPS) open, and clients can make a 
connection on those ports with the server to download the webpages to their 
browser. 


These ideas bring us to the next important concept: firewalls. 


The term ‘firewall’ is thrown around in the movies a lot, but most people don’t 
understand what they do. Though they have many advanced features, one of a 
firewall’s most basic functions is to permit or deny traffic to a network. 

Firewalls in home environments act as a single point of failure — meaning that all 
of the data in transit to/from the local network needs to first pass through the 
firewall. Because it acts as the only way into a network, the firewall can prevent 
hackers from making connections on specified ports to protect the local network. 


This concept refers to a hardware firewall, but there are software firewalls as 
well. For example, just consider the program adequately named Windows 
Firewall. It is a piece of software that will prevent the networking card in your 
computer from making connections on any of the ports you choose to block. We 
will see how to scan a target system later with a port scanner to see which ports 
are open and potentially exploitable. 
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You should also know how to run a ping as well as view your IP address, subnet 
mask, and MAC address. These are extremely simple commands, and they are 
used frequently by networking security professionals. They are all run from the 
command prompt, so in Windows open up the command prompt by searching 
for it or hitting your Windows key and typing ‘cmd.’ The application’s icon is a 
black box, and once you run this program you see a prompt with a blinking 
underscore. 


To view your IP address, subnet mask, and default gateway, just type ipconfig 
into the command prompt. On the other hand, if you want to see your MAC 
address, just type ipconfig /all into the command prompt. If you are using a Mac 
or Linux computer, the command is only slightly different. On these systems the 
command is ifconfig. 
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In Summary 


Please understand that we could go much deeper into these topics. In fact, there 
have been entire books written about some of these subjects, but they are too 
advanced for a beginner and lie outside the scope of this book. The idea is to 
give you a working knowledge of these ideas to facilitate your hacking and 
penetration testing endeavors. However, if you want to further your knowledge 
on these concepts, it will only help you become a better hacker. Now that you 
know what IP addresses, MAC addresses, ports, and firewalls are, we can move 
on to more advanced topics. 
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Chapter 6 - The Hacker’s Tool Belt 


Hackers have a lot of tools in their tool belt that the average user hasn’t even 
heard of. These tools aren’t incredibly special or secretive, but most people 
simply don’t understand what they are or how to use them. The honest truth is 
that there are boatloads of different tools out there that can be used to break into 
a system or be used to identify vulnerabilities. 


Oh, and guess what? Surprisingly enough, many of them are completely free to 
use. Part of the reason many of these tools are free to use stems from the fact that 
many of the tools were written for Linux, and the vast majority of Linux 
software is free of charge because it is protected by the GNU license. 


Some of the most popular types of hacking tools that we’ll take a hands-on look 
at in this guide include: 


-Vulnerability scanners - we’ll take a look at one called OpenVAS later in this 
book 


-Port scanners — we’ |l also see how to use a port scanner called NMAP 


-Packet sniffers — this software listens to and records all of the information 
flowing over your network, and we’ll use one later for a man-in-the-middle 
attack -demonstration 


-Password crackers — these tools are used to uncover the password to a system 


While this certainly isn’t a comprehensive list of the tools a hacker has in their 
tool belt, these are certainly some of the most popular and most important tools 
you need to be aware of. Let’s take a closer look at each one of these types of 
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tools in detail. 
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Vulnerability Scanners 


Vulnerability scanners were originally designed to help white hat hackers find 
potential security holes in their computing systems to plug up the security holes 
before a black hat hacker could find a way to penetrate the system. However, 
these scanners can be used for both good and evil. 


Black hat hackers can easily leverage a vulnerability scanner to find a weakness 
in a network, server, or host to facilitate an attack. And these scanners are pretty 
easy to use, too. Though some of the fine-tuning and tweaking of the scan you 
want to perform can get a little complex, by and large all you need to do is point 
the scanner at a target and click a button. But a vulnerability scanner on its own 
isn’t very dangerous. A black hat hacker will then need to use other types of 
software in order to take advantage of the vulnerabilities found with the scanner. 
Vulnerability scanners are really only used to identify weaknesses, plain and 
simple. 


Later in this book we’re going to go through the installation process of one such 
scanner named OpenVAS. We will be installing it in a Linux environment, and 
the installation process is the hardest part. After we run through the demo later in 
the book, all you need to do is supply an IP address and click a single button. 
Once the scanner is up and running, it is ridiculously easy to use. 


Pros of Vulnerability Scanners: 


-Help make systems more secure by identifying weaknesses that an 
administrator or security expert can then address and take care of 


-Mitigates the risk of hackers taking advantage of a system 
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-They are fun to use! 
Cons of Vulnerability Scanners: 


-Sometimes they are not perfect and have the potential to miss the latest system 
vulnerabilities 


-They rely partially on a database of vulnerabilities that needs to be continuously 
updated 


-Hackers can take advantage of them to find ways to break into a system 
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Port Scanners 


A port scanner is basically a software utility that can be used to determine which 
ports a host is accepting connections on. For example, if I wanted to see if I 
could pull up a web page from any hosts on my network, I would scan my 
subnet to see if any hosts have port 80 open. But this is a basic example. 


The information obtained from a port scanner can help attackers read between 
the lines and determine the purpose of a host on their network. For example, if a 
port scanner showed that a host had port 9100 open, you could reasonably 
assume that the host you scanned is either a printer or a print server since port 
9100 is used for printing. I know, I know, printers are boring. But it is amusing 
to think that you could send print jobs to your neighbor’s printer and print 
anything you wanted to after identifying their printer with a port scanner (don’t 
actually do that, it’s just funny to think about). 


But think how far an attacker could take this concept. By identifying the services 
that are running on a host, they can determine what type of server they are 
dealing with, whether or not they have found an infrastructure device like a 
router, switch, or firewall, or find ways to attack end user computers by making 
connections on their active ports. 


Now take a moment to consider things from a white hat perspective. An ethical 
hacker could use a port scanner to verify that all of the ports on a network that 
should be closed are actually closed. It is a useful verification tool that can be 
used to prevent vulnerabilities. 
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Layer 4 Scanners 


Remember how important I told you the OSI model is? Well there is a whole 
class of scanners that targets layer four (the transport layer) of the OSI model 
specifically. These scanners look for minute details in the operation of layer 4 
protocols such as TCP (Transmission Control Protocol) and UDP (User 
Datagram Protocol) to find weaknesses in hosts. The inner workings of these 
protocols are actually quite complex, but realize that there is a process called a 
handshake that two hosts make before they form a connection. By tricking and 
manipulating the handshake process, attackers can cause serious harm to systems 
in the form of a DoS (Denial of Service) whereby an attacker breaks the logic in 
these protocols to cause a host or service to stop functioning or severely 
underperform. 
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Packet Sniffers 


Packet sniffers are invaluable tools that are able to capture, store, and display all 
of the information that is flowing over a cable or transmission medium such as a 
wireless interface. By using a packet sniffer, you’!l be able to see in great detail 
all of the conversations that computers are having with each other. 


You can see connection attempts, file transfers, and even Google searches. 
Packet sniffers are especially dangerous when data is being sent in plain text, 
which is another way of saying that the data isn’t encrypted before it is sent to 
another host. So, for example, if your username and password weren’t encrypted 
before being sent to a server, and attacker can leverage a packet sniffer to 
capture that data and steal your username and password. 


But some packet sniffers, such as Wireshark, are difficult for newbies to read 
because they simply don’t understand how the various protocols operate. A 
packet sniffer will show an attacker the nitty-gritty details of a traffic stream’s 
raw data. More specifically, it can show you the IP address of a host that 
initiated a connection, how another host responded to the connection attempt, 
any data that was sent during the session, and what type of data is flowing over 
the connection via its port number. 


Have you ever wondered how ISPs can see what type of data is flowing over 
their network and determine which hosts are visiting specific websites? Packet 
sniffers are but one tool among many that they use achieve this goal. 
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Password Cracking Utilities 


Hackers frequently use tools called password crackers to gain unauthorized 
access to computer systems. Cracking is basically a term used to describe the 
process of obtaining a password that is hidden or stored in a protected format. 
For example, there are wireless password cracking tools that allow an attacker to 
gain the password to a Wi-Fi network without needing to know the security key 
upfront. 


But there are many other types of passwords and methods used by these utilities. 
Some people have heard of a brute force password attack before, and these can a 
long time to perform. In the brute force process, a computer will try to guess 
every conceivable password to gain access to a system by trying every unique 
combination of characters. 


In addition, there are also dictionary based attacks that are useful for breaking 
weak passwords. These types of attacks take a more pragmatic approach to 
cracking a password because they try passwords based upon a dictionary of 
common and popular phrases. Typically an attacker will try a dictionary attack 
before a brute force attack because there is a higher chance of cracking a 
password with a dictionary based attack. Brute force attacks have one colossal 
downfall: they can be extremely slow due to the millions and millions of 
combinations they need to try to be successful cracking passwords. The process 
can last for days. Dictionary based attacks, on the other hand, are typically much 
faster because they don’t have near as many password combinations to attempt. 
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Chapter 7 — Utilizing VMWare 


One of the easiest ways for you to build different environments that you can 
learn to hack in is by using VMWare. But what does this software actually do? 
VMWare allows you to run code called ‘virtual machines.’ Essentially it has the 
power to virtualize entire operating systems so you don’t have to wipe the 
operating system off your host computer and install a completely new one to get 
started hacking. Sometimes newbies who want to get started hacking may try to 
install an operating system such as Kali Linux in addition to their host operating 
system such as Windows. The only problem is that one configuration mistake 
with the installation could cause a user to lock themselves out of their Windows 
operating system completely. 


Other times they may even accidentally repartition their hard drive and wipe out 
all of their old files. This is a huge headache, but installing VMWare will solve 
these problems and allow you to run multiple operating systems simultaneously. 
The good news is that VMWare Player is free to use and easy to install. You can 
find the release notes and download link for VMWare Player on VMWare’s 
website, and you will want to download and install this program for some of the 
demos later in this book. 


It is assumed that you have the ability to install basic software, so we won’t get 
into the VMWare installation process. It’s pretty darn simple, and all you need to 
do is follow the installation wizard. Also you could be installing this software on 
different platforms, and the installation steps would change. If you need help 
installing this software, you can find help on the VMWare website for your 
given operating system. 


After you have downloaded and installed VMWare, you need to download 
operating system images to run in VMWare. More specifically, you should go 
ahead and download Ubuntu Linux and Kali Linux images. You can find Kali 
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Linux images for VMWare and Ubuntu images for VMWare for free online. 
After you have downloaded an image, to install it you need run VMWare Player. 
Then click on Player => File => New Virtual Machine and browse to the image 
you downloaded. Alternatively you can just hit ctrl + N after you have opened 
VMware. When you first install a new image in VMWare, it will ask you to 
name it. Personally, I just name the virtual machine the same name as the 
operating system to keep things straight. 


Once the image has been successfully downloaded and you install it in 
VMWare, the VMWare application will go through the installation procedure 
exactly as if you were trying to install that operating system on your computer, 
but it will install it within your host environment. As you proceed through the 
installation process, portions of the procedure will ask you if you want to install 
a variety of packages. Make sure that you select all of the packages that are 
described as ‘security’ or ‘penetration testing’ packages. If you fail to install 
these packages, you will need to go through the installation processes 
individually for the demonstrations that I walk you through later such as NMAP. 
If you have any trouble installing your operating system in VMWare, all you 
need to do is follow the guide on the Kali Linux or Ubuntu sites. 


You should also have an idea of the intended uses for each operating system. 
Ubuntu is designed to be an easy to use replacement for other desktop operating 
systems such as Windows. It is well-suited for everyday use, and you don’t need 
to be a Linux expert to use it. As such, it is a great environment to expand your 
Linux skills and it offers plenty of different penetration testing tools, scanners, 
and hacking programs. However, you should also know about Kali Linux. Kali 
was specifically designed with hacking in mind, and the security packages 
contained in the VMWare image are mostly geared towards providing users with 
tools that facilitate hacking. However, it is a little more challenging to use if you 
haven’t been exposed to Linux already, and much of its power is found at the 
command line. 
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Each different VMWare image and Linux distribution has different default 
usernames and passwords. You can check the defaults on the website where you 
downloaded the code image, but they are most typically ‘root’ and ‘toor’ or 
‘username’ and ‘password.’ If you wish, you can create additional user accounts 
but this isn’t necessary as we will only be using these operating systems to run 
some demos. 


Though I would personally recommend that you take full advantage of VMWare 
to virtualize Linux operating systems to provide you with hacking tools, you do 
have an alternative. Many Linux distributions can be downloaded and burned to 
a CD or DVD. These are called ‘live boot’ images because all you need to do is 
pop the disk in your computer, reboot it, and voila. Your computer will boot to 
the Linux operating system contained on the disc. Some versions of Linux are so 
small and lightweight that you can even boot from a flash drive. However, there 
is one caveat with these live boot images. Your computer may or may not be 
configured to boot from the hard drive before the disc drive or USB port. If this 
is the case for your computer, you would first need to change the boot order of 
these devices. It is a little difficult to explain this procedure since every make 
and model of computers and laptops have a slightly different process, but you 
can Google this procedure for your make and model of computing device to 
change the boot order to accommodate a live Linux CD or DVD. Personally, I 
prefer VMWare because you can switch between your host operating system 
(Windows in my case) and your virtual machines without needing to reboot your 
computer. 


Lastly, if you want to get your feet wet hacking, I highly advise you take the 
time it takes to get your Linux environments setup. Most of the demos we will 
be running in this book will be from a Linux operating system. Note that while 
many of these tools have versions that work with Windows, Linux is still the 
preferred operating environment for hackers because it is more secure and offers 
access to more code and hacking tools than Windows does. 
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Chapter 8 — Introduction to Ping Sweeps, Port Scanning, 
and NMAP 


It’s finally time to dig into the good stuff! In this chapter I will walk you through 
how to perform network scanning and reconnaissance techniques using a 
program called NMAP. This is the program that the hackers in the movies like to 
flaunt, and it is fairly easy to use. The whole point of NMAP is to feel out a 
network and scan it to discover active devices, open ports, and other vital 
information such as which operating system the host is running. In the network 
penetration and hacking world, this is referred to as network mapping, 
footprinting, or reconnaissance. 


Without these tools, you are essentially blind on any given network and you 
would have a hard time attacking anything since you wouldn’t be able to see any 
targets. Also, think just how important it is to know what operating system a host 
is using. Exploits come and go, and new ones are constantly surfacing as new 
operating systems are developed or patches are applied. For example, with each 
new version of Windows, there are countless security vulnerabilities that are 
slowly identified and patched over time. By knowing the operating system 
version on a host, you could use a tool such as Metasploit to search for active 
vulnerabilities and exploit them. 


Once an attacker has gained access to a network, there are a lot of things they 
can do to prepare an attack. The following are some of the more common 
footprinting goals: 


-Gather information 


-Find the local subnet’s IP address structure 
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-Search for networking devices such as a router, switch, or firewall 
-Identify active hosts on the network such as end user workstations 


-Discover open ports and access points -Find out detailed information regarding 
the operating systems on active machines 


-Discover the type of device such as a laptop, tablet, smartphone, or server 
-Map the local network 


-Capture network traffic 


Even if you don’t have an advanced degree in computing, Linux software and 
network penetration programs are becoming so sophisticated that it is 
unbelievably simple to carry out these footprinting tasks. The only things you 
need are a Linux system (see chapter 6), the right software, a rudimentary 
understanding of networking concepts (see chapter 5), and a guide. The rest of 
this chapter will focus on using NMAP to feel out and map a network. Contrary 
to the old adage, remember to try this at home! Don’t use the knowledge in this 
chapter to start poking around the network at your office or in a public setting. 
Respect others’ privacy or there may be harsh consequences. 
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Ping Sweeps 


The first and easiest technique you need to understand is called a ping sweep. A 
ping sweep is a useful way to identify active machines on a given subnet. If you 
aren’t familiar with a ping operation, let’s take a moment to explain this concept. 
A ping is a command from ICMP (Internet Control Message Protocol), and it is 
frequently used to determine if two hosts have an end-to-end connection. The 
host that initiates the ping sends small packets of information via what’s called 
an ICMP echo request. If the target host is online and has a connection, it will 
reply to the host who initiated the ping. This will show you that the host is online 
and that it isn’t suffering from connection problems over the network between 
the two hosts. 


If you really wanted to, you could manually go through each IP address on your 
network and ping it from your computer to see what IP addresses other hosts on 
the network are using. In reality though, this simply isn’t feasible. It would be 
very tedious and time consuming trying to ping hundreds of individual IP 
addresses to see if any hosts are online. This is why ping sweeps are so useful — 
they allow you to ping every valid IP address on a subnet automatically. After 
the sweep has been completed, NMAP will return a list of all the addresses that 
replied to the ping and allow you to see the IP addresses of other active hosts on 
the scanned network. 


However, there are a couple caveats to ping sweeps. They don’t always show 
you every single host attached to a network. There are a few reasons why a host 
might not respond to a ping sweep. Firstly, it could be possible that a host’s 
network card is faulty or broken in some way. Secondly, there could be 
problems on the network between your host and the target subnet that prevent 
the ping from completing successfully. Lastly (and most importantly), network 
admins choose to configure hosts to not respond to pings for the sole purpose of 
protecting them from being identified by a ping sweep. In some instances, your 
ping might pass through a firewall that doesn’t allow ICMP traffic, too. 
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These are the exceptions, though, and not the rule. It is rare that a host would not 
respond to a ping, and the vast majority of active hosts will show up in a ping 
sweep. This is especially true if you are performing a ping sweep on the subnet 
that your computer is directly connected to. 
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Operating System Identification 


Yet another useful feature of the NMAP utility is the ability to identify the 
operating systems that active hosts are using. Though you may not think so at 
first, this is actually some critical information. After you know what operating 
system and code version a host is using, you can then search databases using 
tools such as Metasploit to identify weaknesses and vulnerabilities. Furthermore, 
NMAP will be able to tell you the model of device a host is using. This is also 
critical because it will help you discern what type of devices are present such as 
host computers, tablets, phones, infrastructure devices, hardware appliances, 
printers, routers, switches, and even firewalls. 
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Port Scanning 


Port scanning is a little different from a ping sweep. With port scanning, the goal 
is to find what port(s) are open on a whole subnet or a single host. For example, 
you could perform a port scan on your local subnet to see if any hosts are 
accepting connections on port 80 (HTTP). This is a great way to see if you can 
access any networking devices such as a wireless router, printer, or a firewall. 
Because these types of devices typically have web configuration interfaces, any 
hosts that are accepting connections on port 80 (HTTP) will show you a login 
prompt if you type their IP address into a web browser. For example, if your port 
scan revealed that the host 192.168.1.1 (this is most likely the default address of 
your wireless router) is accepting connections on port 80, you could reach its 
login interface by typing http://192.168.1.1 in your web browser. This will 
initiate a connection on port 80 for the host 192.168.1.1 (see chapter 5 for 
networking fundamentals, IP addresses, and ports). 


It is likely that the administrator changed the default username and password for 
that device, but you would be surprised how frequently people fail to do this 
because they are inexperienced, lazy, or just plain ignorant of the massive 
security risk they encounter by leaving the username and password set to default 
values. If you wanted to, you could even use NMAP to find what type of 
firmware the networking device is running as well as the model number. Then 
all you need to do is perform a quick Google search to find the default values 
and attempt to login to the device. But this is just one simple example of port 
scanning. You could even scan a single host to see all of the ports that are 
accepting connections. And port scanning goes well outside the realm of 
scanning port 80 to see if you can pull up a web interface. Some ports can be 
used to deliver types of code that will take advantage of a flaw in a protocol or 
system to escalate an attacker’s privileges or even deny that target from using 
network services. 
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NMAP Footprinting Procedures: Installing NMAP 


Before we begin, there is one last thing we need to do to configure VMWare 
connectivity. VMWare uses the idea of virtualized network adapters, and the 
default setting won’t put your virtual machine in the same subnet as your host 
operating system. Simply click on the ‘settings’ tab of the VMWare application 
and find the configuration option for your ‘network interface.’ Now select the 
option to put it in bridged mode. 


To verify that your host operating system and VMWare operating system are on 
the same subnet, just run the ipconfig command from the Windows command 
line or the ifconfig command on Linux and Mac systems. Then, just make sure 
they match and belong to the same subnet. 


To begin these demonstrations, you are going to want to fire up VMWare and 
boot your virtual Linux system. NMAP should already be installed if you 
selected the security packages as recommended earlier, but if you failed to do 
this there is good news. It is pretty darn simple to install NMAP. 


Open the terminal in your Linux distribution (either Kali or Ubuntu). Try 
running the following command to see if NMAP was installed successfully. 


- sudo nmap -sP 192.168.1.0/24 


Don’t worry about what this command does, we’ll dig into that information 
shortly. If it wasn’t setup properly, the terminal will spit out an error that says 
NMAP isn’t installed. Don’t worry, this isn’t a big problem. We just need to run 
the following command to download and install NMAP: 


- sudo apt-get install nmap 


It will take only a short while to download and install, and you should receive 
confirmation from the terminal that the operation completed successfully. Now 
we can take a closer look at ping sweeps. 
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NMAP Footprinting Procedures: Ping Sweeps 


Now that you have a good idea of what ping sweeps do, it’s time for a 
demonstration! Though you can download it for Windows, I would personally 
recommend you heed my advice and try your hand at installing VMWare to get 
used to a Linux environment. The following is the quick and easy 4 step process 
you need to run a ping sweep in Linux using NMAP. Again, remember that this 
tool is used to identify active hosts on a network. 


Step 1 — Run VMWare and boot to your Linux operating system. 


Step 2 — Open the terminal (a.k.a. the shell). This can be found by performing a 
search for ‘terminal’ after clicking the start button. If you failed to install the 
GUI (Graphical User Interface) during your installation, you would have booted 
to a black screen with a blinking cursor. This is the same as the terminal, so 
either will work for our purposes since we are working from the command line 
like those mythical hackers in the movies. However, if you feel uncomfortable in 
this environment and you want a GUI screen, just run the startx command. 


Step 3 — Run the following command: 


- sudo nmap -sP 192.168.1.0/24 


In this command, 192.168.1.0/24 is an example subnet. It is entirely possible that 
your computer is on a different subnet. To discover which subnet you are using, 
run the ipconfig command in Windows or ifconfig on Linux and Mac systems. 
These commands will show you what IP address and subnet mask your computer 
is using. For example, if your IP address is 192.168.113.201 and your subnet 
mask is 255.255.255.0 (the same as /24), the command would be changed as 
follows: 


- sudo nmap -sP 192.168.113.0/24 
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Now NMAP will work its magic and automatically perform a ping sweep across 
all valid IP addresses on the subnet you specified — which is 192.168.113.0/24 in 
this example. 


Step 4 — Read the results. After the operation completes, NMAP will return a list 
of IP addresses that successfully responded to the ping sweep. Be warned, 
though. Depending on the size of the subnet and your local computing resources, 
it could take a little while for the operation to complete. Just be patient and let 
NMAP do its thing. Now you have a little bit of ammunition to further your 
reconnaissance efforts. You can use the IP addresses found with the ping sweep 
as a parameter in the following commands to identify that host’s open ports and 
what operating system it is using. 
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NMAP Footprinting Procedures: Port Scanning 


Now it’s time to learn how to identify which ports are open on a target network 
or device. Just think how useful this is for ethical white hat penetration testers. 
This tool will essentially let them verify that hosts aren’t accepting connections 
on dangerous ports that should be blocked by a firewall, but realize this tool is a 
double-edged sword. Black hat hackers can use this tool to find open ports in an 
effort to find a way to break the system. Because you should have already run a 
ping sweep, I won’t list the steps in this demo. Just test out the command from 
the terminal that you already have open. The syntax of this command is as 
follows: 


- sudo nmap -p [PORT] [TARGET] 


In the command syntax, [PORT] is a numeric value representing the port you 
want to scan. If you wanted to scan for hosts accepting HTTP connections, you 
would set this value to ’80.’ The [TARGET] field specifies which host or subnet 
you want to scan. If you wanted to scan a single host, you would omit the subnet 
mask. If you wanted to scan your entire subnet, you would include the subnet 
mask. Consider the following two examples: 


1. sudo nmap -p 80 192.168.113.21 (this scans the host with the address 
192.168.113.21) 


2. sudo nmap -p 80 192.168.113.0/24 (this scans the entire 192.168.113.0/24 
subnet) 


Interestingly enough, this command won’t only show you if the desired port is 
open or closed. It will also provide the host’s MAC address and display the OUI 
(Organizationally Unique Identifier) for that MAC address. If you find that port 
80 is open, go ahead and try to pull up the web configuration interface in a web 
browser just for kicks. Also, take the time to verify that your hosts that have port 
80 open aren’t using the default username and password values. Remember, you 
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should be doing this on your own home network instead of a network where you 
don’t have the authority to be running port scans! 
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NMAP Footprinting Procedures: Operating System Identification 


Last but not least, we’re going to learn how to use NMAP to identify a host’s 
operating system. The syntax for the command is extremely simple and follows 
a similar structure compared to the previous examples. The only difference is 
that you use the ‘-O’ option in the command. Consider the following example 
where we scan a target host to uncover what operating system is running on the 
target: 


- sudo nmap -O 192.168.113.21 


This example only scans the 192.168.113.21 host, but you could scan an entire 
subnet as we did in the preceding examples. Then the command will provide you 
with detailed information regarding the type of operating system used, its 
version number, and any patches that have been applied to the host operating 
system. 
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In Summary 


Using NMAP, you can easily map a local network topology, identify active hosts 
with a ping sweep, scan for open ports, and identify operating systems. Note 
how short and sweet these commands are. These commands provide a high 
amount of leverage for an attacker because they are so simple to use and NMAP 
will do all of the dirty work for you. 


The next time you see a hacker in a movie, take a glance at their computer 
screen. More often than not, they are going to be using NMAP. Now you can 
actually decipher the cryptic text on their monitor! 
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Chapter 9 — Using Metasploit to Hack Devices 


Now that we have taken a look at how to use command line tools via the 
terminal in Linux, things are going to heat up a little. While NMAP is a fantastic 
tool to map a local network and gather information about hosts, Metasploit is a 
tool that is designed to help you actually break into a system and exploit 
vulnerabilities. If you installed the full version of Kali Linux in the VMWare 
chapter and included the right security packages, you should already have 
Metasploit installed. In fact, it is included in many different Linux operating 
systems. Note that there is a version for Windows, but it is natively a Linux 
program and running it on Linux is preferred. Please understand that Metasploit 
is an extremely advanced tool, and there have been entire books and manuals 
written about it. I couldn’t possibly hope to elaborate on every exploit found 
within Metasploit, and the fact is that they are constantly updating the 
vulnerabilities, payloads, and exploits that can be taken advantage of. But I do 
want to show you some basic commands, how to navigate through the 
Metasploit prompt, and show you a basic demonstration of how Metasploit can 
be used to hack a computer. 


Also, note that I intentionally showed you how to use NMAP before Metasploit. 
As it turns out, you can actually run NMAP commands from the Metasploit 
prompt — but it goes a little deeper. You can even save the data collected from 
your scans in a Metasploit database to be used as input for other Metasploit 
commands. 


But just what exactly is Metasploit? Metasploit is a vulnerability framework that 
is huge in the hacking and network penetration world, and I definitely 
recommend using this tool. Newbies have a hard time wrapping their heads 
around the fact that Metasploit is a framework and not a single stand-alone 
application. A lot of hackers use the code found in this handy tool to build and 
develop their own custom-tailored attacks. For example, if you were a hacker 
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investigating and studying the vulnerabilities and exploits on the latest version of 
Windows, you would use Metasploit to find and take advantage of security 
flaws. 


Note that there are a few different versions of Metasploit and some are free 
while others cost money. Though you should run it in a Linux environment, 
there is a Windows version for those of you who are too scared of the Linux 
shell. For all practical purposes, you are only going to want to use the free 
version since the paid version costs $5,000 dollars per year per user. 


Also know that because of the nature of the Metasploit program, you are going 
to need to turn off your software firewall or allow an exception because 
Windows will flag the program as some sort of virus. Rest assured, they are a 
credible and reputable organization — Windows is just wrong. Also, just like in 
the NMAP chapter, you are going to want to make sure that the VMWare 
network interface is configured for bridged mode. 


Lastly, you are going to need to be familiar with some terminology used in 
Metasploit such as payloads, exploits, listening, Metasploit interfaces, and have 
a general understanding of the database concept before moving forward. 
Payloads refer to sections of executable code that can be delivered to a target. 
After the payload has been successfully sent to its intended target, you can then 
run commands to further take advantage of that computer. Exploitation, on the 
other hand, simply means taking advantage of a known system vulnerability by 
using Metasploit. In addition, listening means that Metasploit is collecting and 
analyzing network traffic that matches certain criteria, much like a packet sniffer 
such as Wireshark. Furthermore, Metasploit interfaces include the MSFconsole 
as well as Armitage, but an interface could also refer to one of several network 
interfaces on your computer such as the wireless interface or the Ethernet port. 
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To round up or discussion of basic Metasploit concepts, you need to be aware of 
the Metasploit database. The database is one of the features of this software that 
makes it so powerful, and you can save vast amounts of data you collect about 
different networks within the database. Not only will it help you organize the 
information you collect, but you can actually run commands on entries found in 
the database to ease the automation process. That way you don’t have to run the 
same command on every host you discovered using a tool such as NMAP. 
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Basic Metasploit Commands 


To begin the hacking demonstration, you need to be familiar with several basic 
Metasploit commands and know what they do. First of all, you need to know 
how to reach the Metasploit prompt. To begin, open the terminal (or the shell — 
they’re the same thing) and type the following: 


- msfconsole 


If you have properly installed the Metasploit framework, you should reach a 
prompt that displays ‘msf’ followed by a greater-than sign. From this prompt, 
there are a variety of basic commands you can use to get help, show additional 
commands, set targets for attacks, set ports for exploits, and many other useful 
tools and features. The following is a list of the basic Metasploit commands and 
their functions: 


-show options — lists available options to configure Metasploit -set rhost 
192.168.1.3 — sets the remote host (target) of an attack to 192.168.1.3 


-set lhost 192.168.1.2 — sets the attacking local host of an attack to 192.168.1.2 
-set rport 80 — sets the port number of the target host to 80 
-set lport 53 — sets the local port of the attacker to 53 


-set payload [PAYLOAD] — allows a user to execute a given payload -unset 
rhost — removes a remote host’s IP address 


-unset lhost — removes a local attacking host’s IP address -exploit [EXPLOIT] 
— allows an attacker to execute a given exploit -back — returns a user to the 
initial Metasploit screen 


-sessions —l — displays active sessions 


-sessions —i [ID] — goes to an active section where [ID] is a numeric value taken 
from the previous command 
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To gain a better understanding of how Metasploit can be used to uncover 
vulnerabilities, let’s take a look at a module that scans hosts for SMB (Server 
Message Block protocol). While these types of vulnerability scanners and 
exploit techniques are fun in a personal setting and very beneficial for learning 
how to use Metasploit, this technique in particular is considered to be a very 
“noisy” scan. That is to say that it raises red flags that would draw the attention 
of a security professional if you performed them in an environment where you 
have no business scanning for vulnerabilities. 


Start from the MSF console and run the following command to enter the 
exploit’s command prompt: 


- use auxiliary/scanner/smb/smb_login 


From here you can view all of the parameters and options to configure before 
running the scan with the following command: - Show options 


You’ll notice a lot of fields that can be set to various values to fine-tune the scan. 
Most importantly, note that one of the fields is labeled as “Required.” These 
fields need to have a value in them or you won’t be able to properly run the scan. 
To change the value in one of these fields, simply use the set command. For 
example, if I wanted to change the target in the rhosts (Remote Hosts) field, I 
would run the following command: 


- set rhosts 192.168.1.0/24 


This command will set the target to the entire subnet. For the SMB login 
vulnerability, you would also need to set values such as SMBUser (the 
username) and SMBPass (the password). After all of the required fields have 
values and you have selected your target, username, and password, you can then 
run the vulnerability scan with the following command:- run 


After you execute this command, you will see output of Metasploit trying to take 
advantage of the SMB vulnerability for every host in the rhosts value. If you set 
it to your entire local network, it will run through each individual IP address on 
the subnet and attempt to login using the vulnerability. 
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You might also have noticed that one of the fields is labeled 
BRUTEFORCE_SPEED, which will tweak how fast the software will run 
through a brute force password attack on the targeted hosts. 


This is yet another example of a Metasploit exploit, but there are many, many 
more. There are an unfathomably high number of exploits on the latest releases 
of operating systems and network protocols, and users who excel at using 
Metasploit can do some real damage. This example is just the tip of the iceberg, 
but some of the attacks and exploits are much more complex than our simple 
demonstration. Some of them do require more background knowledge to 
understand the attack, but by and large even newbies can run many of these 
attacks with little to no knowledge of the protocol’s or exploit’s internal 
mechanics. 
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Chapter 10 — Wireless Password Hacking 


If you didn’t know already, there are methods of cracking wireless passwords so 
you can gain access to wireless networks when you don’t have the security key. 
Again, please only try this on your home networking equipment. Though it may 
be tempting to try to use this method to hack into your neighbor’s wireless 
network to get free Wi-Fi, this is a huge breach of privacy and it is not legal to 
do so. In addition, it is actually a pretty simple process to break weak Wi-Fi 
encryption and login to a wireless network. However, there are a couple caveats. 


You see, there are several different types of Wi-Fi encryption. The two easiest 
encryption standards to crack into are WEP (Wired Equivalent Privacy) and 
WPA (Wi-Fi Protected Access), but it is also possible to crack WPA2 (Wi-Fi 
Protected Access 2). Though some wireless routers implement stronger Wi-Fi 
security standards that are more difficult to break into, your average home user 
doesn’t know the difference and typically doesn’t select the right protocol based 
on their knowledge of security. 


But why would you want to hack into a wireless network in the first place? After 
all, an expert hacker probably has bigger fish to fry than his neighbor who is 
using the Internet to look up the latest sports stats, right? Sure, that’s true 
enough, but imagine the havoc an experienced hacker could wreak upon a 
business network that uses weak security. While it’s true that most businesses — 
even small businesses — use IT staff that are well adept at implementing the 
strongest Wi-Fi security available to date, there are a few scenarios that happen 
all too often in a corporate setting. For example, consider a commercial 
establishment that provides both a company-wide Wi-Fi signal as well as a hard- 
wired Ethernet port for each of their employee’s offices. 
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Sometimes employees don’t like to follow the rules and adhere to their 
company’s security policies. Many companies forbid plugging in a networking 
device to an Ethernet port, but often times network personnel will make a 
mistake in configuring the network — giving an employee the opportunity to 
connect a wireless router to their Ethernet port. Usually employees want to have 
their own wireless signal because they think it will give them faster Internet 
speeds. 


Whether or not it will actually increase their speed, this scenario happens all the 
time. And the problem is that it leaves a gaping security hole for hackers to take 
advantage of them. Because non-technical users don’t understand the details of 
Wi-Fi security standards, they may accidentally configure their wireless router 
for WEP or WPA security. Uh-oh, guess what? Now a hacker has a point of 
access into their corporate network! All the hacker has to do is crack the wireless 
security password, and in a matter of minutes of cracking the wireless password 
the hacker can start attacking corporate hosts. 
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VMWare Wireless Password Cracking Caveats 


Before we dig into the steps you need to take to crack a wireless password, I 
need to inform the VMWare users of one small caveat. The way VMWare is 
designed makes it almost impossible to run sniffing software on your wireless 
interface. In fact, if you fire up your Linux distribution in VMWare and run the 
command ifconfig, you will notice that there isn’t a wireless interface present. 
Normally it would be listed as ‘WLANO,’ but no such entry exists in the output. 


The reason for this is that VMWare doesn’t give control of your wireless 
network card to your virtual machines. Instead, your wireless card’s interface is 
bridged as an Ethernet interface inside of your virtual Linux machine. If you 
decided to use a live boot CD or DVD, then Linux will have the proper control 
of the wireless card to facilitate wireless sniffing. But what can a VMWare user 
do to crack wireless passwords? Should you just skip over this demo? Not a 
chance. The good news is that there are two alternative solutions to allow you to 
participate in this demo. 


The first, and arguably less favorable of the two, is to purchase a USB wireless 
adapter. If you weren’t aware of this already, you can buy USB sticks that are 
actually external wireless cards, and Linux will be able to utilize them. However, 
I don’t like spending money on things I don’t need to. There is a free solution 
that will allow virtualized Linux systems to sniff on wireless interfaces. 
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Docker Demonstration 


Enter Docker. Docker is software that will allow you to virtualize the 
functionality of your wireless card inside your virtual VMWare Linux 
environment. I know it sounds odd running virtualization software within a 
virtual machine, but it’s easy to do and it only takes a few minutes to install. The 
following is the process to use and install Docker in a Kali Linux environment so 
you can hack wireless passwords like a professional. 


First, you’re going to want to get all of the necessary image and script code from 
the Internet. Run the following two commands and remember that you will want 
administrative privileges for the installation procedure: 


-git clone https://github.com/docker-linux/kali 
-cd kali/ 


Next you will want to run the following two commands to successfully create 
the Docker image and then open it: 


-sudo sh build-kali.sh 
-sudo docker run -it linux/kali binbash 


If everything was successful, this should change your prompt to a pound sign 
(#). This will indicate that you are inside the Docker image. The next thing we 
need to do is install and configure software within the virtual Kali Docker image 
as follows: 


-apt-get install kali-1linux 
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-apt-get install kali-linux-wireless 
-apt-get install kali-linux-top10 


-exit 


Now we will need to save our work in the current container. This is just another 
way of saying that we will save all changes made to the virtual image we just 
created. To do this, we need to find the unique container ID. Issue the following 
command to display that information: 


-sudo docker ps -a 


The information you need is listed under CONTAINER ID. Once you have that 
information, plug it into the following command: 


-sudo docker commit [CONTAINER NUMBER] kali:1 


Lastly, we are going to need to enter the Kali image that we have created in 
privileged mode with the following command: 


-sudo docker run -it --net="host" --privileged kali:1 binbash 


By now everything should be setup to properly crack wireless passwords from 
your Linux environment. 
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Using Reaver to Crack Passwords 


If you want to hack wireless passwords like a pro, then go ahead and fire up your 
favorite Linux distribution and enter the Docker image that we setup previously 
from the command line. Ideally I would recommend that you use the following 
program in the Kali environment as the steps won’t work for every Linux 
operating system. We are going to be using a program called Reaver to crack 
wireless encryption standards, and while it is prepackaged with some security 
packages in Kali, I’1l go ahead and run through the simple install procedure first. 
To begin, run the following two commands to update your Linux software and to 
download and install the Reaver program: 


-apt-get update 


-apt-get install reaver 


The terminal will ask you if you want to proceed after determining how much 
disk space the program will consume. Just type a ‘y’ to proceed. After the 
operation has completed you will get confirmation from the terminal the Reaver 
was installed. And now we will need to find the name of your wireless interface. 
Because we have already gone through the Docker installation procedure, you 
should now see a wireless interface when you run the following command: 


-iwconfig 


After you find the name of your wireless interface, we will need to start 
monitoring wireless data on that interface using the following command: 


-airmon-ng start wlano 
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This command will spit out some more output, and you need to take special note 
of one variable. It will create a name for the wireless interface that is in 
monitoring mode. Most likely it will be monO on your machine, but it could be 
different. You will find this information in the bottom right of the output, so 
remember this piece of information as we proceed. So now simply run the 
following command: 


-airodump-ng wlano 


You’ll notice after running this command that it will spit out a lot of MAC 
address output that correlates with different wireless routers’ BSSID’s. If you 
don’t see any output, you may need to wait longer for your network card to 
monitor wireless transmissions or you may need to substitute the above 
command with the pseudo name for that interface (such as mon0O). The list of 
available wireless BSSID’s will refresh continually, but you can hit ctrl + C to 
end the operation. 


You’ll also notice that the encryption type is listed in a column near the right 
hand side of the output. There is a different method needed to crack different 
encryption standards, but for this demo we are going to be cracking WPA 
passwords. Look for an example wireless network that is using WPA or WPA2 
encryption. 


Now run the following command and substitute the variables as they pertain to 
you: 


- reaver -i [MONITORING INTERFACE e.g. mon0] -b [BSSID] -vv 


The hard part has been completed, and Reaver is going to go about its duties and 
hack the password for you. Be warned, the process isn’t as easy as you might 
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think and the program could take a few hours to crack the password depending 
on a number of factors. Sometimes it can take as little as 2 hours and as many as 
10 hours. 


When it has completed, however, you’!l notice a field in the output labeled as the 
WPA PSK. This stands for pre-shared key, and this is the value that you are 
concerned with. But think how powerful this software is in the hands of a black 
hat hacker. Even though the target has secured their network with WPA — which 
would keep out most regular users — a hacker could still use this software to 
break into their network. Then the hacker could employ reconnaissance 
techniques to feel out and map the local network. They could use NMAP to 
identify other computers, scan those hosts to find open ports, or run a tool like 
OpenV AS to search for vulnerabilities. 


It would also be very easy for an attacker to run a man-in-the-middle attack (as 
Pll show you how to do later in this guide) to steal all sorts of valuable 
information — even from hosts that are hardwired — as it is in transit to the 
wireless router. 


Just note a few caveats about the process, though. 


First of all, you are going to want to make sure that you have a strong signal. An 
incredibly weak signal could multiply the amount of time needed to crack a 
password or even cause the operation to fail entirely. In addition, there are a 
handful of router models that Reaver won’t be able to successfully crack, but by 
and large it will work on the vast majority of them. 


Lastly, note that you can save your work through the process if you get 
interrupted. Don’t shut down your virtual machine, because this would cause 
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you to lose your progress. However, by hitting ctrl + C you can exit the 
operation and Reaver will save the work it has performed in memory. 
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In Summary 


As noted earlier, hacking tools are becoming so sophisticated that they are 
extremely easy to use. Like other tools, the hard part is the patience it takes to 
setup of the software. After you have completed the setup process, you can point 
your password cracking cannon at a wireless network and it will do all of the 
dirty work for you. 


I bet you didn’t think that cracking wireless passwords was so easy, did you? 
The scary part about this software is that it is free and readily available to 
anyone with an Internet connection. Just remember not to abuse your power by 
invading someone’s privacy, and I would recommend that you setup your home 
router for WPA encryption for the purposes of this demonstration. 
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Chapter 11 — Web-Based Vulnerabilities 


Up until this point, we have been taking a look at how to hack physical devices. 
Web-based vulnerabilities, on the other hand, are a completely different animal. 
Instead of snooping around and trying to gain access to physical networks, 
employing reconnaissance techniques, and then looking for exploits to be used 
on hosts on the network, web based vulnerabilities can be carried out through a 
web browser. There are many types of web based vulnerabilities, but the two of 
the greatest concern are SQLi (SQL Injection) and XSS (Cross-Site Scripting) 
attacks. These attacks are such a huge problem because they are carried out very 
frequently and the Internet if fraught with SQLi and XSS attack opportunities. 


There’s no way around it — the Internet is an extremely dangerous place in 
modern society. Even if you take the greatest care to strengthen your computing 
devices by implementing the newest security measures, it is still very likely that 
your web browser or web server can become compromised by hackers around 
the world. Attacks targeting web based vulnerabilities happen every single day, 
and there’s no telling who could initiate an attack against a website since there 
are no geographic boundaries on the Internet. Even though some countries take 
extreme measures to censor their Internet, it is pretty easy to circumvent those 
restrictions with a VPN tunnel — giving most everyone around the world an easy 
and cheap way to connect to servers and resources blocked by their government. 


To better illustrate the point of how web vulnerabilities can be exploited from 
people in other countries, let’s consider the WordPress platform. For those of 
you who don’t know, WordPress is an extremely popular tool used to build 
websites that has a very intuitive visual interface. WordPress is able to add tons 
of features to any given website through downloadable code modules called 
plugins and widgets. The only problem with these code modules is that you don’t 
know who created them. To be fair, WordPress does a fine job of keeping the 
modules that contain malicious code away from their web development 
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platform, but the real problem lies within security. Even the best coders make 
security mistakes from time to time, but you have no way of knowing how 
security-conscious the author of your plugin was. As a result, we have seen 
hackers find exploits in some very popular plugins and take advantage of them. 
I’m talking about plugins that have been downloaded and installed on websites 
millions of times. 


For example, earlier this year there was an exploit in a WordPress plugin called 
WP Super Cache that had been downloaded and installed by over a million 
active websites. The flaw involved injecting SQL code (we’ll talk about this 
shortly) into a website’s database to cause an anomaly that would break the 
system. But here’s the scary part: the vulnerability was being exploited by the 
well-known extremist group ISIS! These kinds of attacks happen on a daily basis 
and create massive problems for website owners. It truly is incredible to think 
that someone halfway around the world can target your website and steal your 
data for no other reason than to cause chaos and disruption. It’s true what they 
say, I guess. Some people just want to watch the world burn. However, this 
chapter will yet again take a white hat approach to hacking web based 
vulnerabilities so you have a basic understanding of how they operate and how 
they can harm a website. 
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SQL and SQLi Attacks 


First we need to begin with a brief description of SQL. SQL (Structured Query 
Language) is a high level language that is used to communicate with databases. 
It helps application developers and websites insert, update, and delete 
information in databases, and some of the queries are extremely powerful. For 
example, with one SQL command you could add one entry to a database or even 
delete all of the entries within an entire database. 


By and large, external users of a website that utilizes a database don’t have 
access to the data contained within. If a website is properly secured, there isn’t a 
way for an attacker to steal data or edit the data in a database. There’s just one 
problem. Web forms frequently contain design flaws that leave them vulnerable 
to an SQLi (SQL Injection) attack, whereby a hacker can insert their own 
malicious code into a database to disrupt their records. Let’s start with a basic 
example so you can understand how your data is stored in a backend database 
when you enter information into a website. 


For our example, let’s pretend that you were browsing the Internet on an e- 
commerce website and you are interested in purchasing a hard copy book. In 
order to fulfill your order, you would need to give the e-commerce company a 
lot of information including your name, street address, zip code, country, phone 
number, and payment card details. Most likely the website would first require 
you to create an account with a username and password. You enter all of this 
data into a form on the website, and that data is then “plugged in” to SQL code 
running in the background to properly store the data in a database. 


Any good developer will first properly sanitize the data you entered, meaning 
that they will check for characters that don’t belong. For example, if the web 
form required you to enter your telephone number, properly sanitized data would 
generate a secure error message if you entered special characters into the field 
instead of numbers. You simply can’t call the number “867-530(“. The open 
parenthesis character doesn’t belong in the phone number field, so you wouldn’t 


www.engbookpdf.com 


be allowed to proceed with the registration process until you enter valid 
characters. 


But here’s where the trouble begins. If the developer made an error in their code 
that doesn’t properly sanitize the data, a hacker could insert (i.e. inject) text into 
the web form field that completely changes the operation of the SQL statement. 
By placing SQL code into the web form, the attacker has the ability to disrupt 
the database because their text and characters would be plugged directly into the 
SQL commands. 


But how do you determine if a web form contains the potential for a hacker to 
inject their own malicious code into the SQL database in the first place? It all 
comes down to viewing the error messages displayed after trying to input data 
into a field. For example, one thing you can do to test this is to surround the data 
you type into a web form field with double quotes. More often than not, if an 
error message appears, this is a good sign that you can successfully inject code 
into the SQL system. In rarer cases, the form might display a buggy-looking 
blank screen. In this event, the database may or may not be injectable. When this 
happens, hackers use a process called blind SQL injection because they can’t 
directly see what impact their injected code had on the database. If neither of 
these things occur, then it is highly likely that the website isn’t vulnerable to 
SQL injection. 


If it has been determined that a website is indeed susceptible to SQL injection, 
the following is code an attacker could inject into the background SQL code to 
facilitate the attack: 


“OR 1=1“ 


This code is problematic for the website because it will always cause a statement 
to evaluate to TRUE and trump any logic statements coded into the intended 
command. For example, consider a command that was intended to update a field 
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if conditional criteria were met. The intent of the command may have been to go 
through the database, find the user Peter Gibbons, and update his credit card 
number. As the database goes through each entry, it will evaluate the value of 
the user field and only make changes on records that contain a user with the 
name of Peter Gibbons. Any name that doesn’t match “Peter Gibbons” would 
evaluate to false, and those records’ credit card numbers wouldn’t be updated. 


However, when the “OR 1=1“ command is applied to the logic statement, things 
start to break down. 


OR statements always evaluate to TRUE if one or both of the expressions on 
either side of the OR statement evaluate to TRUE. So in this example, all of the 
records in the database would evaluate to true because 1=1 is a true statement. 
The net effect is that all of the users’ credit card information would be 
overwritten with bogus data. Though it is highly likely that older copies of the 
database were created for a backup, this attack creates a massive problem. In the 
blink of an eye, a hacker just effectively erased all of the credit card information 
out of the currently active database and the company is screwed. Furthermore, if 
new data was entered into the database but that information hasn’t been backed 
up yet, that data is gone forever. But this is just one example. 


Using these types of injection techniques, hackers can do the following: 


- Delete sensitive information 

- Escalate their privileges in the website 

- Create new administrative accounts 

- Steal usernames and passwords 

- Steal payment card data 

- Garner complete control over a database 


However, remember that hackers can’t do these things to every database. They 
can only perform these tasks on websites that are vulnerable to SQLi attacks. 
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Cross-Site Scripting Techniques (XSS) 


If you’re not a techy or you haven’t had any exposure to website design, you 
probably haven’t heard of XSS before. But XSS attacks aren’t anything new. In 
fact, they have been used and abused since the 1990’s. But the variety of ways 
that XSS attacks cab be performed far outnumber SQLi attacks. For that reason, 
XSS is a much more flexible technique and it can be used to inject malicious 
code into a user’s web browser or even take over a session between a client and 
a server. To top it all off, a hacker doesn’t need to manually initiate the attack. 
Instead, it can all be carried out automatically. You would think that because 
these types of attacks are so old that their use and frequency would be waning, 
but that just isn’t the case. Because of this, many white hat security professionals 
view XSS attacks as the bane of their existence. Sadly enough, they can be easily 
prevented but too many people fail to take adequate measures to protect 
themselves. 
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XSS Details and Web Browsers 


Web browser technologies have been rapidly accelerating over the past 5 years, 
and they offer a ton of valuable software that is unprecedented in the Internet 
age. When you compare them to older browsers such as Netscape, the 
technologies they offer today seem truly staggering. However, all of the extra 
features and technologies that have been added to web browsers over the past 
decade have increased the opportunities for XSS hacks. The flaw all stems from 
a web browser running a script. 


HTML (Hyper Test Markup Language) is the most popular tool for formatting 
web content to date. By using tags in the code, HTML is able to change the 
appearance of data on web sites. The problem is a troublesome tag that allows 
websites to embed scripts. When your web browser encounters the <SCRIPT> 
tag in HTML, it will automatically execute the code contained therein. Though 
this is good because it drastically increases the usefulness of your web browser, 
it is a pain in the neck for security professionals. What if the script that your 
browser ran was a giant hunk of malicious code? The end results aren’t too 
pretty. 


To help you better understand how these types of attacks work, let’s use the 
example of joining a forum. The forum requires you to fill out information about 
yourself, such as a bio, an avatar, and a screenname. In addition, this forum 
allows you to view other members’ profiles and even chat with them directly on 
the forum via private messages. One day, you are browsing through the forum 
and you see a post by a member that absolutely blew your mind. To further 
investigate the source of the amazing content, you click on this user’s profile 


page. 


Where is the attack coming from? Can you predict what’s going to happen? If 
the user was able to inject a script into their profile, once you load their page 
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your web browser is going to be attacked. But how on Earth could someone 
inject malicious code into their profile page when they don’t have administrative 
privileges to the website? Much like the SQLi attacks, XSS attacks can occur 
when a website doesn’t do an adequate job of sanitizing their data. In this 
example, the user could have embedded code into any number of fields for their 
profile page. If the hacker wanted to, he could embed a link to a malicious script 
contained on another website into any of the fields in is profile. However, the 
script won’t be displayed on your screen because it is contained within the 
<SCRIPT> tags. There are ways to make this data appear, but it is undesirable 
for most users to browse the web with these settings enabled. Once your browser 
loads the page for the hacker’s forum profile, it will reach the link to the script 
and execute the malicious code directly within your browser. 


Furthermore, because you have already authenticated yourself with the forum 
site, the code could be constructed to take actions in your name. Although the 
script could easily be written with other objectives in mind. Perhaps it will steal 
cookies from your browser, which contain sensitive information such as login 
credentials to other sites. Maybe the attacker will steal your browsing history 
while he’s at it. If the information found in the cookies is related to online 
payments, they might even be able to steal your identity and credit card 
information. The sky is the limit, because that script that your browser executed 
could be written to do nearly anything. 
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Ways to Prevent SQLi and XSS 


Fortunately there are few things people can do to mitigate XSS attacks. First of 
all, as a web surfer you should be sure that you disable cookies. They are 
necessary for a few sites, but there are many types of malicious cookies that can 
be used against you. Don’t make the mistake of becoming too lazy to remember 
your passwords by relying on cookies to automatically log you in to your 
favorite sites. This is a huge mistake, and those cookies are a low-hanging fruit 
to a hacker. You would also certainly want to disable flash cookies, as they have 
been taken advantage of time and time again to steal information from naive and 
innocent users. 


From the perspective of a web designer, proper mitigation of XSS attacks begins 
with sanitizing your data. As they say, an ounce of prevention is worth a pound 
of cure. If web designers always took appropriate measures to sanitize data then 
we would see few (if any) XSS attacks at all. Even though it sounds like a 
simple concept, you would be shocked to learn some of the corporations that 
have been exploited with an XSS vulnerability. Many of the largest corporations 
in the world such as Facebook, Google, Twitter, and other mega-corporations 
have been victimized by these types of attacks because they made a mistake with 
data sanitization. 
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In Summary 


When you think of hacking, you probably didn’t think of injecting database code 
into a website via a web form or a script. But these types of hacks are becoming 
increasingly more common. These two techniques are incredibly dangerous 
because they don’t throw as many antivirus software or operating system 
warnings when they occur, allowing them to hack a target without leaving a 
trace of evidence. 
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Chapter 12 -OpenVAS 


OpenVAS, or the Open Vulnerability Assessment system is a great tool for both 
black hat and white hat hackers alike. However, it is more popular in the white 
hat realm as it was designed for professional penetration testers and it allows 
them to scan servers or computers, uncover any potential security flaws, and 
then provide solutions to patch the system. Essentially, it is an auditing tool that 
can provide a wealth of information about the vulnerabilities found in any given 
host. OpenVAS is really a collection of programs that work together to facilitate 
testing procedures that are cataloged in a massive database of listed exploits — 
much like the Metasploit database. However, this program can be used for good 
or evil depending on the motivations of its wielder. 
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Installing OpenVAS 


You have the option of installing OpenVAS on a server — which is usually 
what’s done in the corporate world — or you can simply install it in the virtual 
VMWare environment that you had setup earlier. If you are going to be using 
this software within Linux, this will be the perfect opportunity to further 
familiarize yourself with the Linux command prompt. However, know that a 
virtual appliance exists that you can install as its own independent VMWare 
machine. In this example, we are going to be installing OpenVAS within Ubuntu 
Linux since it is a favorite for Linux newbies. 


There are a couple prerequisites for this software as you likely don’t already 
have it installed on your system. To begin, you will need to install the python- 
software-properties tools. Furthermore, you will want to run an update 
command to make sure that none of its dependencies are out of date. To begin, 
run the following two commands: 


-sudo apt-get update 
-sudo apt-get install python-software-properties 


Now you will want to install the actual OpenVAS software from the Internet by 
using the following terminal command: 


-sudo add-apt-repository ppa:openvas/openvas6 


Though these commands may look a little hairy, they are just downloading and 
installing the necessary software. To put it simply, this is how you would install 
and configure the software from the command line. Next on the list, we will 
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need to rebuild a portion of the OpenVAS software as follows: 


-sudo add-apt-repository ppa:openvas/openvas6 


And now we will need to install the OpenVAS software by using the following 
commands: 


-sudo apt-get update 


-sudo apt-get install openvas-manager openvas-scanner openvas- 
administrator openvas-cli greenbone-security-assistant sqlite3 
xsltproc texlive-latex-base texlive-latex-extra texlive-latex- 
recommended htmldoc alien rpm nsis fakeroot 


Now that we have finished downloading and installing the software, 
we will need to proceed by configuring it before we can start 
scanning hosts for vulnerabilities. Though that process may have 
seemed difficult if you are new to Linux, it was actually very 
automated. By entering in a few commands, Linux will do all the 
downloading and installation procedure for you by itself. Compare 
this to a GUI environment where you need to browse the web to find 
software, download it, run through the installation procedure, and 
reboot your machine before you can use your new program. The real 
value in Linux for hackers comes from the power of the command line 
because it is lightweight (it doesn’t consume large amounts of CPU 
and memory as a GUI application would), extremely powerful, and 
contains ways to manipulate data that GUI versions of software 
simply don’t allow. Regardless, we do need to enter a few more 
commands to complete the OpenVAS setup. 


First we are going to want to create SSL certificates. An SSL 
certificate is a small file hosted on a server that provides a 
cryptographic key that matches and identifies a unique 
Organization. Also, it allows for secure data transmissions on port 
443. We are going to want to go through some steps to configure the 
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web interface in case you want to actually install this software on 
a server for penetration demos. If you are setting this up ina 
Linux environment within a virtual machine, it will still give you 
another notch on your geek belt by learning a little bit more about 
the command line. Begin with the following command: 


-sudo openvas-mkcert 


Now you are going to see a myriad of options in the terminal to 
allow you to configure your certificate. If you wish, you can 
simply leave the settings at their default values, but it is often 
better to customize them for personal use. This is up to your 
discretion since these values don’t have a large impact on our 
configuration. But now you are going to need to make a client 
certificate for a user as follows. 


-sudo openvas-mkcert-client -n om -i 


To proceed, we will need to build and update the OpenVAS database 

to make sure it contains the latest vulnerabilities. If we don’t, 

it could easily miss exploit opportunities when we scan individual 
hosts. Run the following three commands in order: 


-sudo openvas-nvt-sync 
-sudo service openvas-manager stop 


-sudo service openvas-scanner stop 


The next portion of the configuration can take a while to complete, so be patient. 
We need to configure the scanner component of the software and it will have a 
lot of data to download and sync. Use the following two commands: 


-sudo openvassd 
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-sudo openvasmd --rebuild 


For our next step, we will want to proceed by downloading the SCAP 
protocol (Security Content Automation Protocol) which is simply 
another component of the background services that will identify 
weaknesses in target hosts. Again, this particular command can take 
quite a while to complete so you will need to play the role of a 
babysitter as the software does its thing. Use the following two 
command: 


-sudo openvas-scapdata-sync 


-sudo openvas-certdata-sync 


Sometimes the second command listed above will fail and throw the 
error that there is no such table found in the software 
configuration. I you have encountered this problem, your operating 
system doesn’t have all of the dependencies for OpenVAS updated to 
their latest version. The good news is that we can install them 
with a couple of easy commands. 


-wget 
http: //www6.atomicorp.com/channels/atomic/fedora/18/i386/RPMS/openva 
manager -4.0.2-11.fc18.art.i686. rpm 


-rpm2cpio openvas* | cpio -div 


Now run the following commands to make OpenVAS use all of the files 
from a central directory. This will improve the speed and 
efficiency of the OpenVAS software. 


-sudo mkdir usrshare/openvas/cert 


-sudo cp .usrshare/openvas/cert/* usrshare/openvas/cert 
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Now your dependency problems should vanish and you should be able 
to successfully sync the data. Run the following two commands: 


-sudo openvas-certdata-sync 


-rm -rf /openvas* /usr ~/etc 
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User and Port 


Configuration 


As we near the end of the setup and configuration process, I wanted 
to show you another example of a port. In the network fundamentals 
section I had shown you the basic idea of users and ports, and now 
we have the opportunity to catch another glimpse of that 
information in action as we configure OpenVAS. To start we will 
need to configure a user account with the following command: 


-sudo openvasad -c add_user -n admin -r Admin 


This command will create a user account with full and unrestricted 
administrator privileges. The username will be ‘admin’ and the 
password will be of your own choosing. Now we need to configure 
what host or hosts can access the software. If you are installing 
OpenVAS in a virtual Linux environment, the default will suffice 
because it only allows access from the local machine. However, in 
corporate environments or home environments where you want to 
install OpenVAS on a server, you will need to change the default 
configuration so it will allow access to remote users. If you are 
using your own virtual Linux environment, you can skip this step. 
To change this setting, issue the following command to open the 
configuration file in a text editor: 


-sudo nano etcdefault/greenbone-security-assistant 


At the top of this file you will notice a line that indicates which 
address(es) are allowed access to the OpenVAS software. By default, 
it is set to the loopback address (meaning the local host) with the 
address of 127.0.0.1. You can allow access to any host you want, 
but it is best to set this value to your local subnet’s address. 
For example, if you use the defaults on your wireless router your 
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network is likely 192.168.1.0/24. 


Now that we have all the tedium out of the way, we can start the 
software and start scanning hosts. The most difficult part of 
getting your feet wet with OpenVAS is the installation process, as 
all it takes to scan a host is an IP address and the click of a 
button. First we will need to kill the currently running OpenVAS 
processes and restart the services. So, let’s finally fire up this 
amazing vulnerability scanning tool with the following commands: 


-sudo killall openvassd 

-sudo service openvas-scanner start 

-sudo service openvas-manager start 

-sudo service openvas-administrator restart 


-sudo service greenbone-security-assistant restart 
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Running the Software and Scanning Hosts for Vulnerabilities 


Once the services have been restarted you should be able to login 
to the web interface. Whether you are using a remote server or a 
local machine, you are going to need to use the following URL 
syntax in a web browser to reach the login prompt: 


-https://server domain or IP address:9392 


You will likely be presented with a certificate warning, but this 
is ok. Ignore the warning and proceed to the login screen. Next, 
enter the username and password you had configured earlier to 
login. After you have logged in, you will see a prompt for the 
default scanning wizard. All you need to do now is point your 
OpenVAS vulnerability cannon at an IP address and you will be able 
to find any current flaws or exploits contained within that host. 
So, enter an IP address and click ‘Start Scan’ to see a report of 
security vulnerabilities. 


In most real world scenarios, an attacker would most likely use 
NMAP combined with Metasploit to hack around a network and look for 
weak points. However, OpenVAS is a great tool for newbies because 
it is so simple to use after it has been installed. All you need is 
an IP address and the click of a mouse to see detailed information 
regarding vulnerabilities found in any host you scan. Furthermore, 
the scanning software ranks the criticality of different 
vulnerabilities so you will know which ones will cause more damage 
if they are exploited. When you click on the magnifying glass on 
each vulnerability, you will be able to see greater details 
regarding the flaw and even ways to patch that vulnerability. 


Keep in mind that the flaws and vulnerabilities found on scanned 
targets is always being updated via the database, so they change as 
time progresses. That makes the exploits you find very temporal. 
For example, if a new vulnerability is found next week and added to 
the OpenVAS database, you can rest assured that you have 
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information regarding the most cutting-edge exploit trends. On the 
flip side, older vulnerabilities that are no longer valid will be 
removed from the software. 


Though each vulnerability and exploit is truly its own animal, you 
can look for information in Metasploit that would help you take 
advantage of the vulnerability. Metasploit is also continually 
updated, and it is likely that you will be able to find and execute 
a payload or exploit after you have discovered it with OpenVAS. 
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Chapter 13 — Social Engineering 


While you may have erroneously thought that the only way hackers steal 
passwords is by entering cryptic commands into a text based operating system 
like you see in the movies, there are some much simpler techniques hackers use 
regularly to steal people’s information. Social engineering is a technique 
frequently used by sophisticated hackers to gain access to networks, and you 
need to have a solid understanding of these techniques to protect yourself from 
their black hat endeavors. 


Let’s start by defining the term social engineering. Basically, it is a way for 
hackers to manipulate targets into unknowingly forfeiting their information. 
Most typically this information is account data such as usernames and passwords 
that a black hat hacker covets to gain access to a computing system or network. 
Once they have a point of entry to the network, then they will proceed with 
reconnaissance techniques and scanning procedures. However, sometimes 
hackers employ social engineering to acquire banking credentials or local 
computer credentials in order to install a virus or Trojan. The point is that social 
engineering is typically one of the first steps an attacker takes to carry out a 
grander scheme. 


And guess what? It’s one heck of a lot easier for a hacker to trick someone into 
giving up their information than it is to hack into their computers and take it by 
force. Part of this is just due to psychology. You’ll find that people are always 
quick to guard the personal information and question where their personal data 
goes when they enter it online, but when talking with a real-life human being 
they are a lot more lax. Sure, you may have misgivings about giving your Social 
Security Number to a stranger over the phone, but consider a short scenario. 
Let’s say you are an accountant working in a medium-sized firm and you simply 
don’t know everyone who works at your company personally. One day you get a 
call explaining that there were some network issues yesterday and every account 
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needs to be reset (or some other believable yet bogus excuse) or your account 
will get locked out of the corporate network resources. If the social engineer did 
a good job of impersonating someone from your firm’s IT department, chances 
are you would give them your username and password. 


That brings us to one of the most fundamental aspects of security. You simply 
need to know who to trust and what online resources to trust. There’s an old 
adage that will ensure that you never misplace your trust again: trust, but verify! 
You have no idea whether or not that person on the phone is legitimate. The 
biggest challenge large organizations face with social engineering is the trust 
factor, because their entire network could be compromised by one individual 
who just takes everything at face value. 


Take physical security and defense as an analogy. It doesn’t matter how high 
your castle walls are, how many troops you have deployed, how large your spear 
infantry is, or how strong your mounted cavalry units are; it only takes one idiot 
to see a wooden horse as a wooden horse and the next thing you know your 
empire has crumbled. On a side note, I would probably say that the modern 
equivalent example of a Trojan horse is a burglar who pretends to be a pizza 
man, but I think you see the point. Once a hacker gathers critical information 
with social engineering, an entire business network could easily be in jeopardy. 
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Types of Social Engineering Attacks 


There are several common attack methods that criminals and hackers love to use 
for social engineering purposes because they have a high success rate. You’d 
think the general public would have learned their lessons by now, but the ugly 
truth is that some people still fall victim to these types of attacks because they 
are naive, gullible, or over trustworthy. The following are some of the most 
popular social engineering methods hackers love to use. 
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An Email from a Trusted Party 


Don’t offer up your credentials to anyone, and I mean anyone, including your 
close friends. Unfortunately, hackers have been able to expand their access to a 
network after successfully hacking a computer by duping users on the attacked 
PC’s email list into forfeiting more information. By using an email account from 
the computer they hacked, the hacker is able to take advantage of the trust 
relationship between the person they are emailing and the person they have 
hacked. 


But watch out! Attacker’s attempts to gather information are usually a lot more 
sophisticated than an email saying something to the effect of, “Hey Steve, can 
you give your username and password for www.example.com? I forgot my 
password.” Sometimes they will include a link to another site in an effort to 
employ a phishing attack. Other times they may send a toxic link to a resource 
they control that looks genuine, but they include a vague message such as, “Hey 
John, you gotta check this thing out!” Once you click on the bad link, a virus or 
some sort of malware could easily be downloaded to your computer. 


Even more worrisome is an email that contains a link to a download. It could 
look like a content download such as music, video content, or pictures, but the 
download link will actually point to a malicious code download. After a 
successful attack, the hacker will be able to access your computer, email 
program, and other sensitive information. And now the attacker has a whole new 
email address book to use to facilitate further attacks, and the vicious cycle 
repeats itself. 


Be warned. Hackers love to manipulate and take advantage of the emotions of 
human beings by urgently asking for help that is needed immediately. 
Sometimes they will appeal to your good nature and ask you to make a 
charitable contribution to someone in need. Though it is heartbreaking to try to 
separate the wheat from the chaff and know if you are truly helping someone 
out, you need to protect yourself and not donate any money if you can’t verify 
the company and link as a reputable organization. 
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A False Request for Help 


Sometimes hackers will send messages that appear to be from a legitimate 
company that claim they are responding to a request that you never made. Often 
they will imitate a large and reputable corporation with thousands upon 
thousands of users to increase their chance of success. If you never requested aid 
from them, you need to avoid that email like the plague. The real problem here is 
the scenario where you do use a product or service from the company they are 
imitating, though. 


Even though you didn’t originally ask for their help, you may still be enticed 
into wanting what they offer. For example, let’s say that the hacker is 
impersonating a representative of a large bank and that there was a reporting 
error that caused the bank to make an error that needs to be verified. Because 
you want to make sure that your money is safe, you decide to trust this false 
representative. But here comes the catch. The hacker is going to claim that they 
need to first “authenticate your information” to see if your account was affected 
by the “error.” You give them your credentials, and the next thing you know you 
have been robbed blind. 


Other times a hacker or bottom-feeding Internet huckster will try to class up a 
false claim that seems believable in order to take your money. These emails 
almost always employ urgency to motivate their targets to take action. My 
perception of these attempts is that they are nothing short of unadulterated knee- 
slapping gut-busting laugh-until-you-pass-out hilarity. But the sad truth is that 
they work, and some people mistakenly place trust in a stranger they have never 
met before. To illustrate these types of attacks, let’s turn to the iconic Nigerian 
Prince scam. 


This scam was in full swing during the 80’s and the early 90’s, but there have 
been many other copycat hucksters that created their own variations of the scam. 
In its infancy, the scam was actually sent through the public mail system. 
However, at the time email was an emerging trend and since it was all the rage, 
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it only follows naturally that these scams started finding their way into email 
inboxes. In the classic Nigerian Prince scam, an impersonator of a high-ranking 
Nigerian official (sometimes a businessman, other times members of the royal 
family) would send an email claiming that he wished to send millions of dollars 
into the account of the target. But why would anyone want to give away that 
much money? The thin lie that so many people ate up like candy was that the 
money was reserved for a political budget but it was never actually spent. As a 
side note, have you ever heard of a politician that failed to spend their entire 
budget (and then some)? Of course not! But if you would be so kind as to help 
this Nigerian Prince, you would get to keep a quarter or a third of the total value 
of the bank transfer. In the end, a lot of poor, gullible, unfortunate souls became 
even poorer when they offered up their banking credentials. 
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Baiting Targets 


Any baiting scheme is going to revolve around the appearance that the attacker 
is offering something of value. Many times you will see these types of social 
engineering attacks in pop-up ads or on torrent websites. The bait is frequently a 
free book, movie, or game that the target thinks is legitimate when in reality, it is 
a link to malicious code. Unfortunately, some of these offers look very real — 
they can take the form of a hot deal in a classified ad or a deal found in an 
Internet marketplace or false e-commerce site. These are hard to spot as scams 
because the attacker has found ways to manipulate the system to give themselves 
a favorable and trustworthy rating. Once you have been duped into following the 
link or download, the attacker has successfully injected a malicious program, 
virus, or malware onto your computer and has a foothold to carry out further 
attacks. 
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How to Protect Yourself from Social Engineering 


Social engineering is a huge problem because it evolves with technology, and 
you can’t always know whether or not someone is legitimate. Fortunately, there 
are a lot of things you can do to reduce the chance that you are victimized by an 
attacker using these techniques. 


First of all, be sure to take your time and think about the consequences of your 
actions beforehand. Attacker would love it if you just reacted to a situation 
without thinking about what you are doing, but take a moment to think ahead — 
even if the message claims an urgent scenario. 


Also make sure that you take time to verify and validate any information that 
looks odd or suspicious. Go through their claims with a fine tooth comb and 
remember to remain skeptical. Even if you get a message from a company you 
do business with, make sure the URL link matches the company’s website 
verbatim. If they provide their phone number, you can do a reverse phone 
lookup on the Internet to cross-check their validity. Make sure that you never 
respond to an email that requests information such as your username or 
password. Reputable companies would never ask for your personal information 
in an email. 


In addition, make certain that you never respond to false messages claiming to 
be a response for the help you never requested. Delete these before ever opening 
them because they could contain links to malware that would destroy your 
computer. The best way to combat bad links is to use legitimate means to find 
them. For example, don’t follow the link in an email if you want to verify it. 
Instead, use a Google search because it extremely unlikely that an attacker with a 
face website has beaten legitimate websites in SEO endeavors to rise to the top 
of the search rankings. 
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Chapter 14 — Man-In-The-Middle Attacks 


Man-in-the-middle attacks are extremely dangerous for end users because a 
successful attack will allow a hacker to view all of the data that a user is sending 
over the network. If the user is setting up a connection to a VPN server, the 
hacker will be able to capture their key to decipher their encrypted messages. In 
addition, the hacker will be able to see all of the websites the user visits as well 
as steal information such as usernames, passwords, and even payment card data. 


An attacker performs this exploit by tricking the target’s computer into thinking 
that the attacker’s computer is the default gateway or intended destination for 
data transmissions. For example, let’s say that you wanted to do a Google 
search. Normally, your data would be sent to your default gateway (e.g. your 
wireless router), routed through the public Internet, and then reach one of 
Google’s servers. However, with a man-in-the-middle attack, your data would 
first be sent to a hacker somewhere in the middle of the process before reaching 
Google’s servers. 


These attacks are extremely problematic because it is very difficult to determine 
that your data is being sent to a hacker before it reaches the intended destination. 
Hackers know this, and their goal is to sit back quietly and discretely listen to all 
of the traffic you are sending without your knowledge. 


Though there are many ways to initiate this type of attack, such as with a DNS 
attack that redirects information to a hacker’s IP address, they are most 
frequently carried out with a process called ARP spoofing. If you remember, I 
had introduced you to the concept of ARP in chapter 5. If you don’t remember, 
realize that ARP is the process that links a layer 2 address (MAC address) with a 
layer 3 address (IP address). 
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With ARP spoofing, the goal is to trick the target host into thinking that the 
hacker’s MAC address is bound to the default gateway’s IP address. That way 
the target will send any data that is not destined for a device on the local network 
to the hacker first. In turn, the hacker will then send the target’s data to the 
default gateway and out to the public Internet. 


While the basics of understanding a man-in-the-middle attack using ARP 
spoofing are rather basic and straightforward, ARP spoofing is only half of the 
battle. Once you have tricked a client into sending you their data, how do you 
see and read what they have sent? This brings us to the idea of tools called 
packet sniffers. A packet sniffer will be able to show you all of the data flowing 
over your computer’s network interface card. The details of the information 
contained in the packet sniffer data are rather complex, but you can sort through 
all of the data using filters. One of the easiest packet sniffers to use is Wireshark 
on Windows, but Linux also contains some great packet sniffing programs that 
integrate with the terminal. You even have the ability to store and save all of the 
data you have collected from a target and you can sift through the information at 
your own leisure. 


As this is an advanced topic, you likely won’t understand all of the various 
protocols you see in the data collected from your packet sniffer. However, as a 
demo aimed at beginners, you can sort through the data by filtering results for 
port 80 (HTTP) which will show you the IP addresses of the web servers the 
target is connecting to. Basically, this will show you every website the victim 
visited as well as other information such as usernames and passwords. 


Though some are sent in plain text and you can read them from your packet 
sniffer, many will be encrypted. Your packet sniffer can record these keys and 
then you can use other utilities to crack their passwords, but this is a little harder 
an impractical unless you want to become a black hat hacker. So, for those 
reasons, I will show you how to initiate a man-in-the-middle attack with ARP 
spoofing and how to use a packet sniffer to see what websites a target is 


www.engbookpdf.com 


connecting to. Also, understand that packet sniffing on a wireless interface is a 
little different than sniffing on an Ethernet interface. For that reason, this demo 
will show you how to perform the attack on a wired Ethernet interface. 
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How to Perform a Man-In-The-Middle Attack 


To start the attack, we first need to successfully spoof an ARP binding. To do so, 
we are going to use a tool on Kali Linux called ‘arpspoof.’ The syntax for this 
command is as follows: 


-sudo arpspoof —i eth0 -t [TARGET ADDRESS] [DEFAULT GATEWAY 
ADDRESS] 


So, if you wanted to trick a host on your local network with the address of 
192.168.1.10 into thinking you were the default gateway, the command would 
look like this: 


-sudo arpspoof —i eth0 —t 192.168.1.10 192.168.1.1 


If you don’t know your default gateway address, just use the ipconfig command 
in Windows or ifconfig in Linux. If you didn’t know of any valid host IP 
addresses to target, you could simply issue a simple ping sweep using NMAP as 
we did in chapter 7. The command listed above will trick the 192.168.1.10 host 
into believing your computer’s MAC address is associated with the default 
gateway’s IP address of 192.168.1.1. At this point your terminal window will 
continually spit out lines of code ensuring that the spoofing process is 
succeeding, so you will need to open another terminal window to proceed with 
the attack. 


But there’s just one problem. You have only done half of the spoofing attack. At 
this point, your target thinks that you are the default gateway, but this isn’t true 
in the reverse process. That is to say that the default gateway doesn’t think you 
are the target host! So, in your new terminal window we are going to need to 
start another ARP spoofing procedure. The syntax will be the same, except the 
target and default gateway addresses will be swapped as follows: 
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-sudo arpspoof —i eth0 —t 192.168.1.1 192.168.1.10 


At this point in the attack, you have fooled both the default gateway into 
thinking that you are the target host and you have fooled the target into thinking 
that you are the default gateway. Now all you need is for the target to transmit 
data and to inspect that data on your computer. There are some higher level tools 
that will actually capture the data you catch during the process instead of 
dumping it as raw data into a text file, but packet sniffers offer a wealth of 
information too. Remember to keep both of the previous terminal windows open 
as they are still constantly running the ARP spoofing process. 


If you want to use a high level tool to see the data a target is searching for online 
that isn’t too complex, you might be interested in driftnet. Driftnet is a tool that — 
while far from perfect — is a great way for newbies to try their hand at a man-in- 
the-middle attack and view data such as audio files, graphics, and MPEG4 
images and automatically display them in the GUI. To use driftnet, which is 
packaged with Kali, run the following command: 


-sudo driftnet —i eth0 


If you are doing this demo in your home network environment (as I instructed 
you to do many times already), try running the driftnet command. Then do a 
quick Google image search on the target device. The attacking computer that sits 
in the middle should be able to see all of the images that the target device is 
viewing. Pretty neat, huh? The problem though is that people can abuse these 
types of attacks to get away with murder and steal some truly sensitive 
information. Again, I caution you not to use this technique outside of your own 
home because the consequences could be very severe! 


Lastly, if you want to dig a little deeper with these types of attacks, you would 
want to use a packet sniffer and dig into the raw data that your attacking 


www.engbookpdf.com 


computer is gathering. You can see a lot more than simple images, and once you 
dig into the transmission protocols you can find data such as login information, 
data a user has entered into fields on a web form, and just about every single 
thing they do online! 
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Chapter 15: Cracking Passwords 


Though you might not think so at first, your email is actually one of the most 
dangerous accounts to lose to a hacker. The reason being that there is so much 
personal information stored in your inbox. Once an attacker has access to your 
email account, you’re in for a world of hurt because they will be able to see and 
intercept all of the messages that reach your inbox. Worse yet is the idea that 
they now have a way to impersonate you. If they wanted to, an attacker could 
trick other people in your address book into forfeiting additional information by 
using your identity to request that information. 


Furthermore, there is going to be a ton of sensitive data linked with your email 
account. Websites today are getting pretty complex, and there are a lot of ways 
to link a user’s login credentials and web activity with their email address. For 
example, there will likely be emails and promotions from sites that you have 
already done business with sitting in your inbox or spam folder. This gives an 
attacker clues as to where he or she can look to uncover additional information. 
They may also be able to see what purchases you have made with online sites 
such as Amazon. 
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Password Cracking 


While all of these scenarios are terrible, by far the worst advantage an attacker 
gains is the ability to further hack your passwords. There are several techniques 
an attacker can employ, but they all exist to steal your credentials to escalate 
their privileges. For example, who knows what an attacker might purchase if he 
or she had access to your Amazon account and payment card data? 


Now that you have a basic understanding of how critical secure passwords are 
and the consequences of what an attacker can do once they get your password, 
let’s look at the basics. I sure that cracking passwords sounds cool and really 
complicated, but some of the methods used are unbelievably simple and even a 
little anticlimactic. 


As commonly mentioned throughout this book, don’t try to hack someone else’s 
passwords because the consequences can terrible if you get caught. Don’t try to 
hack into a person’s email and see how many of their accounts you can break 
into just for the hell of it; that would be a huge breach of privacy and I shudder 
to think what might happen if you get caught stealing someone’s payment card 
data. 


To be honest, it would be pretty difficult for a single user who doesn’t have 
knowledge of information technology to discover how their account was hacked 
in the first place, but in a corporate or professional setting the I.T. department 
would have numerous tools to track electronic transactions and discern what IP 
address the attack or attempt was made from. 


The first, and simplest technique for gaining a user’s password assumes that you 
already have access to their email account. Most users typically only have 1 
main email account that they use, but there could be several. Anyway, after you 
have obtained access to their email you can use the password recovery 
mechanisms built into most online account. While most people choose to cache 
their usernames in their browser so they don’t need to reenter them every time 
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they login to a website, you don’t even need to know their username. You see, 
most websites provide an account recovery feature that allows a user to input 
their email address to receive their username and password. 


Some sites require that the account recovery feature erases the old password and 
generates a new and random password, but all of this information is 
communicated via email. So, if an attacker controlled and user’s email account 
and wanted access to their bank’s website, Amazon account, social media 
accounts, or just about anything else, all the attacker has to do is browse to the 
given website and perform the steps necessary for account recovery. This is an 
extremely quick process, and in a matter of minutes an attacker could easily gain 
access to the most critical sites that the user visits. 


While this may not be a sexy process, it sure gets the job done and can ruin an 
individual’s personal security. However, this is just the simplest measure to 
crack passwords and it presents a problem. How did you gain access to their 
email in the first place? There are countless other ways that an attacker can crack 
passwords to first gain access to the email account. For example, if a user isn’t 
very technically inclined, it is a safe bet that they don’t understand anything 
about password complexity. Though they think they are being clever, users are 
making a huge mistake when they make their passwords their birthday, the name 
of their dog, or other easy to guess pieces of information. 


Other times, these simple minded users will actually write their passwords down 
near their computer or plaster a sticky not on their monitor. It is even possible to 
trick these people into forfeiting their email passwords with social engineering. 
All of these methods are easier to use than you might think, and it gives an 
attacker a foothold into the rest of their user accounts. 
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Password Cracking Utilities 


There are many different password cracking utilities to take advantage of, but we 
are going to take a brief look at the most popular pieces of software. Hackers 
will employ several of these tools in conjunction with one another to facilitate 
their attacks. They simply don’t start with a brute force attack because 
passwords can often be found using quicker methods. With that said, a brute 
force attack is usually the last resort when other methods have already failed. 
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John the Ripper 


John the Ripper is probably one of the most famous and revered password 
cracking utilities in hacker communities. It is highly efficient and effective, but it 
does suffer from one fatal flaw that often keeps it out of the hands and minds of 
newbies: it was developed for Linux. Though it does have ported versions, keep 
in mind that it is natively a Linux application. 


Because some of these tools are exclusively built with Linux in mind, you will 
surely need to get your feet wet with the Linux operating system to become a 
competent hacker. By now you should have already setup a Linux environment 
to run through some of the demonstrations in this book using VMWare. If you 
haven’t already, it is high time to build your first Linux environment. 


As with most powerful Linux software, this program is run from the command 
line and can be a little scary if you aren’t already used to working from the 
command line. But that’s just part of the learning curve; once you get 
comfortable in this environment, you’ ll be able to run all kinds of software that 
is far more powerful than basic GUI software like you might find in a Windows 
environment. However, there is a version of this software on Mac devices since 
Macs derive from an old and powerful UNIX distribution called BSD. 


One extremely handy feature of this software is the method with which it uses to 
crack passwords by automating the process. To start, it will begin with a 
dictionary based attack. If that fails, it will move on to use a hybrid approach to 
crack passwords. If even the hybrid approach fails as will, it will resort to a brute 
force attack. 
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Ophcrack 


Ophcrack is the first of the password cracking tools we will discuss, and like 
many of these tool, it is free to download and use. It can be used to crack 
passwords on a variety of operating systems, but this tool has gained most favor 
from hackers that are attempting to crack Windows passwords. However, it can 
still be used to facilitate attacks on Linux and Mac passwords. Though it does 
have simpler and more effective algorithms, this piece of software will allow a 
user to perform a brute force attack. Lastly, it even has a feature that will allow 
you to create a live boot image. 
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LOphtcrack 


LOphtcrack is really a suite of software that allows you to perform many 
different password functions. For example, it can be used to audit password 
strength and complexity to bolster your security efforts. Given the range of 
functions this software provides, it is frequently used with computer security 
firms as well as governmental organizations such as military applications. Not 
only can it run on versions of Windows that are higher than Windows XP, it can 
also run on some Linux and BSD distributions. Like other password cracking 
utilities, it will allow an attacker or security expert to run both dictionary based 
attacks and brute force attacks. 
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Cain & Abel 


Cain & Abel is another popular password cracking utility. Its features exceed 
only the ability to crack basic passwords or operating system passwords, and it 
even has some features that aid in the process of wireless security-key cracking. 
However, it can only be used exclusively in a Windows environment and it 
allows users to crack passwords that have been encrypted and encoded in various 
formats and protocols such as MySQL, Oracle, MD5, SHA1, SHA2, and various 
wireless encryption algorithms. 


As with the other utilities, this software will perform a variety of different 
password cracking methods such as dictionary attacks, rainbow attacks, and 
brute force attacks. One extremely useful feature of this software is that you can 
set parameters to fine-tune the brute force attack such as the length of the 
password you are trying to crack. This has the ability to eliminate millions of 
potential password combinations that would otherwise drastically multiply the 
length of time needed to carry out the attack. 
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In Summary 


These tools aren’t incredibly difficult to use, but most users don’t have any clue 
that they exist. Really, all of the hard work has been done already by the expert 
programmers who created this software. All that’s left to do is for it to be used 
by an experienced hacker. Tools like these are so easy to use that teenagers with 
little experience in the real world can find ways to use them to hack into other 
people’s computers. Though I wouldn’t recommend using these tools for evil, 
they are certainly fun to use in a home environment. 
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Chapter 16 — Protecting Yourself from Hackers 
l 


At this point in the book you have probably already asked yourself at least once, 
“What can I do to protect myself from hackers?” The good news is that there are 
a lot of easy and simple measures you can take that will drastically reduce your 
chance of being hacked by a nefarious black hat hacker on the Internet. This 
chapter focuses on the different strategies you can use to make your computer 
and home network more secure. For those of you who are very technologically 
savvy, a few of these might seem like no-brainers. However, you would be 
surprised how many people fail to implement even the simplest measures 
regarding their Internet security. 
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Software Updates 


Software updates are crucial to protecting yourself from hackers, but too many 
people ignore updates. Most operating systems have an automatic update setting 
that will automatically download and install patches to the operating system. The 
problem is that most people are apathetic or just plain lazy and they don’t want 
to take the time to install the updates. And why not? To be honest, it’s a bit of an 
inconvenience to some people. You might be right in the middle of a large 
project or your work day, and installing updates requires that you reboot your 
computer and wait for an unknown amount of time while the operating system 
install the patches. But I’ve got news for you — you need to take great care to 
install updates as soon as humanly possible. 


Even after some of the viruses mentioned in chapter 3 were discovered and 
patched, there were still millions of computers that were still contained 
vulnerabilities all because the users failed to update their software. If everyone 
had installed the updates as they came out, the viruses would have been stopped 
dead in their tracks. 
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Change Default Usernames and Passwords 


Too many people don’t think twice about changing the default usernames and 
passwords on their networking equipment. While most people try to create 
unique usernames and passwords for their personal computers, they often forget 
to secure network devices, wireless routers, and even their printers. Wake up 
people, hackers not only have ways to perform password attacks but they already 
know how to find the default usernames and passwords to your wireless router in 
a matter of seconds. 


Furthermore, some people fail to secure their Wi-Fi network. Instead of using a 
security algorithm that will make it hard for attackers to join their network 
subnet, they give them an open door and invite them to come inside. Some, but 
not all, wireless routers don’t include a default wireless password. 


Worse yet, when people are initially configuring their wireless routers, they fail 
to add a password to their Wi-Fi. You simply can’t leave these values at their 
defaults if you hope to protect yourself from online attacks. Lastly, most wireless 
home routers have an option in the configuration that determines who can 
remotely manage the device. If you lock down this setting to a specific IP 
address, hackers won’t be able to log into your wireless router even if they know 
the username and password! 
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Use Strong Passwords 


Not only should you create unique usernames and passwords for your devices 
that are different from the default values, but you should also make your 
passwords strong. You can do this by making them as long as possible and by 
including numbers, letters, and special characters. Though it’s true that hackers 
have ways to perform dictionary and brute force attacks whereby they try to go 
through every possible combination to find the correct password for a system, 
know that these techniques don’t work in every situation. Some websites and 
networking devices have built-in protection against brute force attacks that don’t 
allow you to attempt to login for a certain time period after a specified number 
of failed login attempts. Password security is a huge area of study, and most 
hackers know what types of data users incorporate into their passwords to 
remember them easier. So don’t make your street address, family pet’s name, or 
birthdays part of your passwords. 


Oh, and don’t be one of those jokers that has their password written on a sticky 
note that is attached to your monitor. A hacker implementing social engineering 
wouldn’t even have to try. You’re making it too easy for them by displaying 
your passwords for all the world to see. In addition, make sure that you don’t 
store your passwords in plain text files or other types of files that aren’t 
encrypted. If a hacker does steal some of your data and they get their hands ona 
file that contains usernames and passwords to other sites and services, you’re in 
for a world of hurt. 
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Properly Configure Your Firewalls 


Firewalls are a critical part of any security solution designed to protect users 
from hackers, and you need to make sure that your firewall is configured 
correctly. In the past, I have seen some people struggle with opening the right 
ports to get their software configured correctly. One area this happens a lot is 
with gaming. 


Many games need specific ports opened that aren’t well known, and in a fit of 
madness and frustration, users choose to open all the ports on their firewall to 
make their game work correctly. This is a colossal mistake, because it will allow 
hackers to penetrate your network firewall if none of the ports are blocked. If 
you have problems getting a game to work on your home network, just do a 
quick google search to see which port needs to be opened! 


Furthermore, many people fail to take advantage of software firewalls. While 
many hardware firewalls have most of the ports blocked by default and do a 
good job of protecting a local area network, but few people protect themselves 
with a firewall on their host computer. If you are a Windows user, whether you 
know it or not you already have a software firewall that will add an extra layer of 
protection between you and black hat hackers. Though sometimes it is 
appropriate to disable your software firewall to allow a program to function 
correctly, you always need to remember to re-enable it after you have finished 
your work. 
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Antivirus and Antimalware Software Solutions 


If you do get hacked and a hacker manages to hack your system with a virus or a 
Trojan, how will you know it exists without antivirus and antimalware software? 
Using a computer without security software is like begging for an attacker to 
steal your personal information. 


But it doesn’t stop there. It has been said many times before, but understand that 
torrents are frequently used as a distribution system for viruses. Too many 
people have fallen victim to a hacker’s virus because they wanted to watch some 
video content without paying for it. If you download torrents without antivirus 
software, you’re just asking for trouble. If you do have antivirus software, you 
can scan the files you download before opening them to detect any potential 
malicious code embedded in your download and avoid a computing crisis. For 
that matter, you should scan every download before you open it. You never 
know what could be hiding in an innocent-looking file. 
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Using VPNs 


If you aren’t aware of VPN tunnels, you need to know the immense value they 
bring to the table. A VPN (Virtual Private Network) is essentially a service that 
encrypts all data communications between two endpoints — effectively making it 
impossible for a hacker, governmental agency, or petty Internet crook to 
unscramble and decipher the data. This guide isn’t promotional material for VPN 
providers, but the fact of the matter is that they can prevent you from getting 
hacked. Not only that, but they can stop the government from stealing your data. 
As a result of the information leaked by Edward Snowden, the US government 
and the N.S.A. have been found to be capturing emails, photos, telephone calls, 
instant messages, and many other types of data transmissions in an effort to 
prevent terrorist-related activities. However, the N.S.A. has stated that they 
haven’t found any information that has stopped even one terrorist-related event. 
By encrypting your data, you will make it safe from hackers around the world 
while it is in transit through the public Internet. 
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Backing Up Your Data 


You might think that backing up your data is only a measure to protect yourself 
from hardware failure. While it does certainly help you out a ton if your 
computer fries, you should know that using backup software will protect you 
from black hat attacks as well. Some of the more sophisticated attacks damage 
and corrupt files, or even embed malicious code into common everyday files 
such as word documents. By keeping a backup copy, you can rest assured that 
you will have a clean and virus free copy of your data in the event of an attack. 
Remember the Crypto Locker virus in chapter 3? If only the users had backed up 
their data, they wouldn’t have had to worry about paying an Internet huckster 
loads of money to reclaim their data by means of ransom. 
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Web Browser Security 


There are also a lot of things you change in your web browser that will 
drastically reduce the chance of a successful attack. As we discussed earlier, 
hackers can use malicious scripts to steal cookie and web browser data to steal 
the passwords to various sites. 


Make sure you don’t save and cache all of your username and password 
information in your web browser when visiting your favorite sites on the 
Internet. This is a huge No-No, because you are leaving low-hanging fruit ripe 
for the picking within the grasp of black hat hackers and Internet thieves. You’re 
also a lot better off if you disable cookies in the first place. By disabling cookies, 
you can circumvent a whole range of different online attacks and nip them in the 
bud before they become a real problem. 


It’s best to keep your web browser as light and streamlined as possible, and the 
more data you save in your browser the greater the chance that someone will be 
able to steal your information. Also consider that you should frequently clear 
your history as well. This provides a veritable audit trail, and an attacker could 
use this information to see every website you have visited on the Internet. 
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Final Thoughts 


I want to make sure you understand that no code will ever be 100% infallible. 
Computers are created and manufactured by humans who are anything but 
perfect, and mistakes are always made. That is to say you run the risk of being 
attacked every time you fire up your computer and open your web browser — 
regardless of whether or not you have implemented these security practices. 


In fact, they say that the most secure computing system is one that doesn’t have 
the ability to connect to the Internet at all. However, implementing these security 
measures will make it much more difficult for an attacker to successfully 
compromise your computer. Think of using these security practices in the same 
light as risk aversion. For example, if someone is a vegetarian their whole life 
and they abstain from alcohol and smoking, the chance that they will develop a 
chronic or life-threatening disease is slim to none. 


Though it is still possible, their lifestyle choices severely reduce their risk of 
disease. Likewise, implementing these security procedures works in much the 
same way. The ugly truth is that operating systems and websites contain flaws 
and errors that can be exploited by hackers. It’s just a fact of life. But by 
strengthening your security, you make it much more difficult — if not impossible 
in some cases — for an attacker to successfully hack into your computer. 
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